from the took-'em-long-enough dept
Back in December, it was revealed that the NSA had given RSA $10 million to push weakened crypto. Specifically, RSA took $10 million to make Dual Elliptic Curve Deterministic Random Bit Generator, better known as Dual_EC_DRBG, as the default random number generator in its BSAFE offering. The random number generator is a key part of crypto, because true randomness is nearly impossible, so you need to be as random as possible. If it’s not truly random, you’ve basically made incredibly weak crypto that is easy to break. And that’s clearly what happened here. There were other stories, released earlier, about how the NSA spent hundreds of millions of dollars to effectively take over security standards surreptitiously, including at least one standard from the National Institute of Standards and Technology (NIST). People quickly realized they were talking about Dual_EC_DRBG, meaning that the algorithm was suspect from at least September of last year (though there were indications many suspected it much earlier).
In response to all this, NIST quickly issued an announcement recommending against using Dual_EC_DRBG, but it didn’t finally remove it from its random number generator recommendations until this week — following through on an open comment process on changing its recommendations.
Following a public comment period and review, the National Institute of Standards and Technology (NIST) has removed a cryptographic algorithm from its draft guidance on random number generators. Before implementing the change, NIST is requesting final public comments on the revised document, Recommendation for Random Number Generation Using Deterministic Random Bit Generators (NIST Special Publication 800-90A, Rev. 1).
The revised document retains three of the four previously available options for generating pseudorandom bits needed to create secure cryptographic keys for encrypting data. It omits an algorithm known as Dual_EC_DRBG, or Dual Elliptic Curve Deterministic Random Bit Generator. NIST recommends that current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible.
In September 2013, news reports prompted public concern about the trustworthiness of Dual_EC_DRBG. As a result, NIST immediately recommended against the use of the algorithm and reissued SP 800-90A for public comment.
Some commenters expressed concerns that the algorithm contains a weakness that would allow attackers to figure out the secret cryptographic keys and defeat the protections provided by those keys. Based on its own evaluation, and in response to the lack of public confidence in the algorithm, NIST removed Dual_EC_DRBG from the Rev. 1 document.
In the announcement, NIST also points out that it’s reviewing its cryptographic standards development process, to try to prevent this sort of thing from happening again.