March 23, 2011, 8:52 AM — Does the RSA SecurID two-token authentication system include a back door that was built in at the request of the U.S. government in exchange for letting RSA export SecurID?
"RSA cut a deal with the government to provide a back door for surveillance work," say some industry analysts, who asked not to be identified. They say the trade-off let RSA export SecurID. RSA today would not confirm or deny this, indicating it was limiting its discussion of SecurID since last week's disclosure of a network breach where "certain information" about SecurID was stolen.
ANALYSIS: Did hackers nab SecurID's secret sauce?
"Certainly possible," says security technology expert and author Bruce Schneier. "Back in the '80s, this sort of thing was popular. Remember key escrow? Remember the back door in Lotus Notes? SecurID is old enough that the NSA would have asked and that export might have hinged on it." But Schneier says he has no direct knowledge of that.
Others say they simply find it too hard to believe such a back door exists in RSA SecurID.
"It's highly unlikely," says Jon Oltsik, principal analyst at Enterprise Strategy Group. If that were true, however, anyone using SecurID would be at risk, he notes. But Oltsik reiterates he considers the idea of a back door in SecurID to not be credible.
RSA indicated that legal constraints brought about by the disclosed breach are holding it back from confronting this question of a back door to SecurID.
But if there is any back door, the implications are particularly troubling since RSA last week admitted, without providing much detail, that "certain information" related to SecurID was stolen by a stealthy attack into RSA's network. Art Coviello, RSA executive chairman, referred to the attack as an "Advanced Persistent Threat," a term meaning a stealthy hacker break-in to steal sensitive corporate information.
The industry analysts, who asked that their names not be disclosed, say it's their firm conviction that RSA SecurID has a back door available for government surveillance with the involvement of the National Security Agency (NSA). They believe this is the main reason why RSA made such cryptic statements last week about the breach RSA says is tied specifically to the product SecurID, the two-factor authentication system based on servers and tokens to generate one-time passwords.