RSA, the security firm that confirmed two of its products by default use a crucial cryptography component reportedly weakened by the National Security Agency, said such design choices are made independently.
“RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any backdoors in our products,” the security division of EMC said in a brief statement published Friday. “Decisions about the features and functionality of RSA products are our own.”
The post came a day after RSA advised customers of the BSAFE toolkit and the Data Protection Manager to stop using something called Dual_EC_DRBG, which is the default random number generator (RNG) for creating cryptographic keys for both applications. The New York Times recently reported that the technology contained backdoor weaknesses inserted by the NSA before the National Institute of Standards and Technology formally adopted it as a standard in 2006.
Also on Friday, a person familiar told Ars that the weak RNG “is contained nowhere in RSA SecurID or the RSA Authentication Manager software; it uses a different FiPS-compliant RNG.” The clarification is important, since millions of people use the SecureID token to log into sensitive networks operated by the US government and US government contractors.