RSA paid $10m by NSA to use weakened security in its products, claims Reuters - UPDATED

EMC-owned company took $10m from the NSA to use cryptography known to be weak in its security software, claims Reuters

Security software vendor RSA was at the centre of storm today after claims emerged that it took payments of $10m from the US National Security Agency (NSA) to use compromised cryptography in its products.

However, RSA has today, Monday, "categorically denied" the claims.

The payments relate to RSA's Bsafe software tool, which was found to use cryptography compromised by the NSA in September. The technology used in the software deployed standards developed on standardisation bodies in which the NSA had infiltrated agents for the deliberate purpose of pushing through a compromised standard.

Bsafe is widely used to secure PCs and other products. While the security flaw and the NSA's role in it were publicised in September, RSA explicitly blamed the problem on the compromised standard.

While the Bsafe software dates back to the 1990s, RSA only introduced the flawed technology in 2004 after a $10m deal was brokered, according to Reuters.

The news is the latest revelation from the treasure trove of documents leaked by NSA whistleblower Edward Snowden. "Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show," claimed Reuters, the news organisation that broke the story.

Although the flaws in the standard were quickly recognised - security guru and cryptographer Bruce Schneier said that they could only be described as a 'back door' - the standard continued to be used and offered as an option in the Bsafe product until September 2013.

As a result of the claims RSA, which was acquired for $2.1bn by storage hardware vendor EMC in 2006, will may face legal challenges around the world from customers.

The compromise also risks alienating US security software vendors more broadly - and possibly vendors in other sectors of the software industry - across the world if organisations should regard them all as equally tainted.

Some of the documents released by whistleblower Snowden called for the NSA to develop "commercial relationships" to advance its goal of total internet surveillance - but did not name any security companies as collaborators.

For years, many US software companies, particularly in the security sector, have been paid for unspecified research and other work they perform on behalf of the US Department of Defense. Such work could be used as a cover to hide payments by the NSA to vendors.