This appears to be a strong denial, which they support by claiming that NSA was successfully promoting Dual EC DRBG as a better RNG to NIST and the tech industry. That is, they were being misled as much as anyone else who believed the NSA regarding Dual EC DRBG.
That sounds good. But the don't even go near the heart of the matter, which, from the Reuters report is:
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
RSA does not deny that they took $10M to use Dual EC DRBG as the default in BSafe. Nor do they say why they did, if there is a reason other than that the NSA paid to make it so. They do not say why they took a sum which boosted their revenue by over 30% in return for no deliverables other than a change in default configuration - a couple minutes of work.
Because it's really hard to argue in favor of that particular RNG. It's kludgy, it's slow, the quality of the numbers out of it— by basic RNG tests— are not very good.
They could have tried to suggest all other options were weak for secret reasons but that seems like a pretty big risk.
I thought the whole point here was that Dual EC DRBG was clearly better at the time.
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
Clarification: The argument was not that it was clearly better, but that RSA believed the NSA could be trusted to have good intentions. This makes changing a bit more suspicious, but i guess the argument is that it wasn't suspicious enough to... reject $10M?
Worth noting: as I understand, it boosted the revenues of that specific business unit by 30% - the whole of RSA has much more than $20m of revenues.
If so, it's interesting in a "oh, it's like the Enron team in Arthur Andersen taking down the entire practice for a relatively small sum of money" kind of way...
That sounds good. But the don't even go near the heart of the matter, which, from the Reuters report is:
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
RSA does not deny that they took $10M to use Dual EC DRBG as the default in BSafe. Nor do they say why they did, if there is a reason other than that the NSA paid to make it so. They do not say why they took a sum which boosted their revenue by over 30% in return for no deliverables other than a change in default configuration - a couple minutes of work.