Suspect NIST crypto standard long thought to have a back door

[InfoSec News <alerts () infosecnews org>]

http://gcn.com/articles/2013/09/17/nist-cryptography-standard.aspx

By Kevin McCaney
GCN.com
Sep 17, 2013

While the National Institute of Standards and Technology reopens public 
review of several of its cryptographic standards, it is "strongly" 
advising against using one of the standards for elliptic curve 
cryptography -- a standard that cryptographers have long suspected 
contained a back door, whether it was put there intentionally or not.

The standard in question, known as Dual_EC_DRBG, is included in Special 
Publication 800-90A, one of three publications NIST has reopened in wake 
of reports that the National Security Agency had tampered with their 
development. Although the initial reports in the Guardian, New York Times 
and ProPublica, based on the Snowden documents, didn’t say which standard 
or standards had been compromised, the Times subsequently reported that 
NSA had installed a back door in Dual_EC_DRBG during its development. NIST 
adopted the standard in 2006.

Dual_EC_DRBG -- full name Dual Elliptic Curve Deterministic Random Bit 
Generation -- is one of four algorithms included in SP 800-90A. The others 
are based on hashing, block cypher encryption and hash message 
authentication code (HMAC). SP 800-90A is titled Recommendations for 
Random Number Generation Using Deterministic Random Bit Generators. The 
other publications being reopened are 800-90B, which addresses entropy 
sources in random bit generators, and 800-90C, which addresses random bit 
generator constructions.

[...]

--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/