RSA has issued a statement denying allegations stemming from Friday's bombshell report that the encryption software provider received $10 million from the National Security Agency (NSA) in exchange for making a weak algorithm the preferred one in its BSAFE toolkit. ...This hasn't hit the press yet, but there was a similar story with a Canadian crypto company. Here is the 2003 press release:
Nothing in the release contradicts the findings of the Reuters article — that RSA accepted $10 million from the NSA in exchange for making the Dual EC_DRBG BSAFE's default pseudo random number generator (PRNG).
Certicom Corp. (TSX: CIC), a leading provider of wireless security solutions, today announced that the National Security Agency (NSA) in Maryland has purchased extensive licensing rights to Certicom’s MQV-based Elliptic Curve Cryptography (ECC) intellectual property. ... This contract, valued at US$25 million, ...Certicom promoted MQV as an IEEE standard, and the NSA also made it a standard.
One of the stated purposes of MQV was to resist the "unknown key share attack". However the NSA weakened MQV to make it susceptible to that attack, and the weakness was published in 2001. It was the NSA-weakened protocol that Certicom promoted as an IEEE standard.
I was on the IEEE committee, and voted against MQV because it had been broken. I was outvoted. I could never get a clear explanation as to why we were adopting a broken version of a protocol, except that NSA was supporting the broken version. My guess is that Certicom was influenced by that $25M.
I cannot say that any spying resulted from use of MQV. NSA ended up dropping MQV, and I doubt that many others use it. That is too bad, as an improved version, HMQV is quite efficient and secure.
Disclosure: I was involved in a couple of lawsuits against RSA in the 1990s. I alleged antitrust violations and an assortment of patent issues. I ended up getting a judgment with a license to the public key cryptography patents. The RSA claims against me were all dismissed. The patentability issues were never really resolved, as Forbes calls it the most difficult question in patent law and it is currently back before the US Supreme Court.
Update: Certicom also had a hand in the RSA backdoor. None of these weaknesses were particularly secret, as they were always documented on the relevant Wikipedia pages.