Wednesday05 October 2022

RSA Says Not To Use the Dual EC DRBG algorithm For Fear it Might Have an NSA Backdoor ** Correction**

Reading time is around minutes.

Corrected 9-26-2013 12:48PM EST to add information from RSA and correct the headline from "RSA Says Not To Use Their Toolkit For Fear it Might Have an NSA Backdoor" to what it currently is.

A couple of weeks ago we reported on a claim that the NSA worked with many security companies and standards groups to help develop encryption algorithms. On the surface this was to help develop stronger and more secure encryption methods to protect US interests and data. However, it turned out that the NSA was actually working to introduce flaws into the system so that they could get back in at a later date. Some of these flaws might have even been exploited by hackers attempting to penetrate systems. We know that in recent years more and more data breaches are happening and the data recovered is often decrypted and sold off. Still until very recently there has not been much to hold up the original claims.

Now EMC Owned RSA (RSA is a combination of the last names of its founders) could be adding confirmation to this story. RSA has released a statement saying that developers should no longer trust the Dual EC DRBG algorithm found in their toolkit because there might be a back door in it. They are reviewing all of their products to be certain that there is nothing, but it would seem there is enough suspicion to make them a little nervous. For now they are asking people to switch to a different random number generator for their encryption schemes.

This news will come as a shock to many simply because RSA is a well-known and trusted company in internet security (and widely used). When a company like RSA begins to doubt their own tools there is a serious problem and potentially one that might take considerable time and resources to fix. To make matters even worse for developers and the rest of us there is the nagging fact that even using other random number generators or toolkits might not be enough. If the NSA was able to introduce flaws in the standard exactly what tools will get you beyond their reach?

When the information about the NSA and PRISM first hit the internet we knew that it was just the tip of the iceberg and we do not think it will stop with what we know now. The NSA has some serious reach from what we have already seen and now many companies are scrambling like roaches when the lights come on. What else will be revealed in the next few months? Whatever it is we are betting it is not going to be anything good.

Correction - According to information from RSA they are not asking people to stop using their toolkit, but are follwing advice from the NIST (National Institue of Standards and Technology). NIST has strongly recommended against using the Dual EC DRBG algorithm. The RSA advisory asks developers to use one of the alternative cryptographic Peudo-Random Number Generators avilable in the RSA BSAFE toolkit and RSA Data Protection Manager products.

The standard was community developed and adopeted by the NIST as one of the standards. It has been widley used in encryption by many companies (including RSA). As mentioned in the article the NSA had a hand in development and possibly in pushing for it to be a standard with the NIST.

Tell us what you think in our Forum


Last modified on Thursday, 26 September 2013 13:02

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.