NIST finally dumps NSA-tainted random number algorithm

NIST finally dumps NSA-tainted random number algorithm

Summary: Many years since a backdoor was discovered, probably planted by the NSA, public pressure finally forces NIST to formally remove Dual_EC_DRBG from their recommendations.


NIST (the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce, has formally removed Dual_EC_DRBG from its draft guidance on random number generators.

This is an odd episode, and the oddness seems to have eluded many observers. The outrage switched on late last year when one of the Snowden leaks indicated that the NSA had intentionally inserted weaknesses into a NIST standard for random number generation, a key component of secure cryptography. Sources told Reuters that RSA Security had entered into $10 million of secret contracts with the NSA, a provision of which was to make the weakened algorithm the default choice in their products. RSA denied the charge.

Why this should have surprised anyone is hard to understand. Problems with Dual_EC_DRBG were first reported almost eight years ago and in 2007 Dan Shumow and Niels Ferguson of Microsoft showed, as Bruce Schneier put it at the time, "...the algorithm contains a weakness that can only be described a backdoor."

More from Schneier:

    What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.

Schneier also notes that the NSA had championed Dual_EC_DRBG in the NIST process and earlier standardization processes. Back in the pre-Snowden days, the NSA's input into cryptography standards was welcomed, as the Agency clearly had significant expertise in the subject. It's going to take a long time before they earn that level of trust again. None of this proves that the NSA inserted a weakness in the standard, but if there wasn't necessarily any fire there was sure a lot of smoke.

Even pre-Snowden anyone who was paying attention should have known not to use Dual_EC_DRBG. Whether or not they were bribed to use it, certainly RSA should have known. By taking this long and only responding to public outrage over Snowden leaks, NIST makes a mockery of its processes.

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not Just Mockery...

    But hypocrisy too. Notice how Obama & Co is suddenly quite silent on Chinese government hacking... Bush cost our nation significant credibility. Obama is supposed to be a breath of fresh air. Sadly, our national credibility stinks.
  • When government and business get in bed together -

    -- we lose.

    And this story of NIST approving an NSA-compromised encryption method is a perfect example of EXACTLY WHY Edward Snowden exists. If business hadn't been in bed with the NSA on everything they're doing, Snowden would never have had cause to reveal what he did.

    So, regardless of whether or not you see Snowden as a traitor or a hero, HE WAS INEVITABLE as long as our government was acting in this manner.

    Governments do things like this because THEY CAN.
    The only way to prevent them from trying it is for the People (including businesses) to say NO, YOU CAN'T.

    It really is that simple. How it plays out may be complex, but the principle is really that simple.
    Jo Keely