The maligned Dual EC DRBG random number generator at the core of a $10 million secret contract between RSA Security and the National Security Agency has been removed from NIST’s draft guidance on random number generators.
The National Institute for Standards and Technology said it will request final public comments before the generator is officially removed from NIST Special Publication 800-90A, Rev. 1.
NIST recommends that users still working with Dual EC to move to any of the three remaining approved algorithms in the publication.
In September, NIST urged users of the encryption algorithm to back away after security concerns raised by the Snowden leaks indicated the NSA-penned Dual EC could be backdoored. RSA Security followed less than two weeks later with a similar recommendation against the use of Dual EC.
Reuters then reported in December of a secret $10 million deal between the intelligence agency and RSA that guaranteed Dual EC would be the default random number generator in RSA’s BSAFE crypto libraries. BSAFE is used in many commercial products, despite weaknesses in the RNG known since 2007 that raised suspicions it was compromised.
NIST said yesterday that the public comment period on Special Publication 800-90A will close on May 23.
“Some commenters expressed concerns that the algorithm contains a weakness that would allow attackers to figure out the secret cryptographic keys and defeat the protections provided by those keys,” NIST said in a statement yesterday. “Based on its own evaluation, and in response to the lack of public confidence in the algorithm, NIST removed Dual_EC_DRBG from the Rev. 1 document.”
NIST recommends that vendors who currently have Dual EC deployed in their products and want to remain compliant with Federal guidance, select an alternative algorithm quickly. NIST also provided a list of crypto modules that include Dual EC.
“Most of these modules implement more than one random number generator. In some cases, the Dual_EC_DRBG algorithm may be listed as included in a product, but another approved algorithm may be used by default,” NIST said. “If a product uses Dual_EC_DRBG as the default random number generator, it may be possible to reconfigure the product to use a different default algorithm.”
The backlash against Dual EC dates back almost seven years when experts pointed out that the algorithm was slow compared to others available at the time, and that it contained a bias that compromised the integrity of the random numbers it generated.
“I wrote about it in 2007 and said it was suspect. I didn’t like it back then because it was from the government,” crypto pioneer Bruce Schneier told Threatpost in September. “It was designed so that it could contain a backdoor. Back then I was suspicious, now I’m terrified.
“We don’t know what’s been tampered with. Nothing can be trusted. Everything is suspect,” Schneier said.
RSA’s BSAFE is embedded in many applications, providing cryptography, digital certificates and TLS security. At the end of March, Reuters reported that the presence of an extension called Extended Random in BSAFE for Java could help facilitate the cracking of Dual EC 65,000 times quicker.