Description
So, I think we may have weakened this too much. As it stands, "encouraged" does not get across that reports are that the NSA used a contract and paid RSA to make this change. Encouragement could have been in much weaker forms. I understand that the amount of the contract (the dollar figure) may be sensative, but I think the issue is important enough to be called out. (It's certainly front and center in something like this: http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220) I suggest we do say that a contract and pay are alleged, but do not include the dollar amount. Something like this:
There is also some suspicion that NSA modifications to the DUAL_EC_DRBG random number generator were made to ensure that keys generated using that generator could be predicted by NSA. This RNG was made part of NIST's SP 800-90A, for which NIST acknowledges NSA's assistance. There have also been reports that the NSA paid RSA Security for a related contract with the result that the curve became the default in the RSA BSAFE product line.
A citation to the allegation would make sense as well (The reuters article linked above being one possibility).
Ted
Activity