The standard is the Dual Elliptic Curve Deterministic Random Bit Generator.
The Dual_EC_DRBG is believed to contain an NSA backdoor that would in essence nullify the standard’s security.
“Following NIST’s decision to strongly recommend against the use of … Dual EC DRBG, RSA determined it appropriate to issue an advisory to all our RSA BSafe and RSA Data Protection Manager customers recommending they choose one of the different cryptographic pseudo-random number generators built into the RSA BSafe toolkit,” RSA spokesperson Kevin Kempskie told TechNewsWorld.
“We are now working with customers to ensure they are using the strongest and safest cryptographic methods possible,” he added.
The Long Arm of the NSA
It’s been widely reported that the National Security Agency used its influence to get NIST to accept and publish the specifications for the Dual_EC_DRBG.
Security expert Bruce Schneier “talked about this back in 2007; his article explained that the NSA was the primary promoter of this algorithm, and that there were some significant weaknesses in the encryption routines wherein the algorithm relied upon a series of secondary numbers that, if known, would allow an attacker to predict the output of Dual_EC_DRBG,” noted Kevin O’Brien, enterprise solution architect at CloudLock.
“NIST and the NSA have always had a close relationship, but this was not supposed to extend into subverting cryptographic standards,” Daniel Castro, senior analyst at the Information Technology & Innovation Foundation, told TechNewsWorld.
What the Fuss Is About
The Dual_EC_DRBG is a PRNG based on the elliptic curve discrete logarithm problem, the idea being that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is not feasible. The bigger the elliptic curve, the more difficult it is to find that discrete log.
The problem is that there is a backdoor in the NIST SP800-90 Dual-EC-PRNG standard. This was first discovered by Microsoft researchers Dan Shumow and Niels Ferguson, who discussed their findings at a Crypto 2007 rump session.
The backdoor is the requirement by the NIST standard of the use of a prespecified elliptical curve, the ITIF’s Castro explained.
“If the implementation uses the recommended numbers found in the standard, then it is possible the NSA can easily crack it.”
The Dual-EC_DRBG algorithm includes default elliptic curve points for three elliptic curves, the provenance of which were not described, according to NIST. Following expressions of concern over this issue by security researchers, NIST included specs for generating different points than the default points, but noted that “recent community commentary has called into question the trustworthiness of these default elliptic curve points.”
Implications of the Backdoor
“Weaknesses in long-revered encryption … [undermine] much of the research and publications released by NIST,” Darren Hayes, CIS program chair at Pace University’s Seidenberg School, told TechNewsWorld.
“Of great concern is that other nations competing with the USA in terms of trade or weaponry have become more educated about deficiencies in how we secure our intellectual property,” Hayes continued.
“There is never a case where security is perfect,” CloudLock’s O’Brien pointed out. “Trade-offs between security and convenience will be made, and varying interests will exploit weaknesses and design in vulnerabilities that can compromise security mechanisms.”
However, the backdoor does not mean that all cryptographic algorithms are unsafe, he told TechNewsWorld. For example, AES-256 is still generally considered secure.
Businesses should use open standards, and they should not implement encryption in-house, advised O’Brien. Further, they should remain abreast of security warnings from encryption implementers and review teams.
*ECT News Network editor’s note – Sept. 25, 2013: Our original published version of this story stated that “security firm RSA has advised its customers not to use its BSafe security software products.” In fact, RSA recommended that customers make a configuration adjustment to choose one of the alternative cryptographic Pseudo-Random Number Generators built into the RSA BSAFE toolkit and RSA Data Protection Manager products.