NIST (the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce, has formally removed Dual_EC_DRBG from its draft guidance on random number generators.
This is an odd episode, and the oddness seems to have eluded many observers. The outrage switched on late last year when one of the Snowden leaks indicated that the NSA had intentionally inserted weaknesses into a NIST standard for random number generation, a key component of secure cryptography. Sources told Reuters that RSA Security had entered into $10 million of secret contracts with the NSA, a provision of which was to make the weakened algorithm the default choice in their products. RSA denied the charge.
Why this should have surprised anyone is hard to understand. Problems with Dual_EC_DRBG were first reported almost eight years ago and in 2007 Dan Shumow and Niels Ferguson of Microsoft showed, as Bruce Schneier put it at the time, "...the algorithm contains a weakness that can only be described a backdoor."
More from Schneier:
What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.
Schneier also notes that the NSA had championed Dual_EC_DRBG in the NIST process and earlier standardization processes. Back in the pre-Snowden days, the NSA's input into cryptography standards was welcomed, as the Agency clearly had significant expertise in the subject. It's going to take a long time before they earn that level of trust again. None of this proves that the NSA inserted a weakness in the standard, but if there wasn't necessarily any fire there was sure a lot of smoke.
Even pre-Snowden anyone who was paying attention should have known not to use Dual_EC_DRBG. Whether or not they were bribed to use it, certainly RSA should have known. By taking this long and only responding to public outrage over Snowden leaks, NIST makes a mockery of its processes.