Snowden documents say NSA introduced weaknesses to the number-generating guidance.
The National Institute of Standards and Technology has finally removed a cryptographic algorithm from its draft guidance on random number generators, more than six months after leaked top-secret documents suggested the algorithm had been deliberately sabotaged by the National Security Agency.
The announcement came as NIST opened to a final round of public comments its revised Special Publication 800-90a, which contains three algorithms now that the Dual Elliptic Curve Deterministic Random Bit Generator has been removed following negative feedback from the public.
According to documents leaked by former contractor Edward Snowden in September, NSA “became the sole editor” of Special Publication 800-90 and allegedly introduced weaknesses to the now-removed algorithm. NIST responded swiftly to that news, recommending against using the standards and suggesting reopening them to public scrutiny in an effort to rebuild trust with the public.
Evidently, NIST received a mouthful. And based on statements from the agency, Dual_EC_DRBG must have performed poorly in evaluations, too.
“In September 2013, news reports prompted public concern about the trustworthiness of Dual_EC_DRBG. As a result, NIST immediately recommended against the use of the algorithm and reissued SP 800-90A for public comment,” NIST said in a statement. “Some commenters expressed concerns that the algorithm contains a weakness that would allow attackers to figure out the secret cryptographic keys and defeat the protections provided by those keys. Based on its own evaluation, and in response to the lack of public confidence in the algorithm, NIST removed Dual_EC_DRBG from the Rev. 1 document.”
NIST’s statement further highlighted the potential weaknesses of Dual_EC_DRBG.
Back in September, approximately 70 government vendors were still using it, even though questions about the algorithm’s integrity dated as far back as 2007. NIST published the standards in 2006.
“NIST recommends that vendors currently using Dual_EC_DRBG who want to remain in compliance with federal guidance, and who have not yet made the previously recommended changes to their cryptographic modules, should select an alternative algorithm and not wait for further revision of the Rev. 1 document,” the agency stated. “NIST advises federal agencies and other buyers of cryptographic products to ask vendors if their cryptographic modules rely on Dual_EC_DRBG, and if so, to ask their vendors to reconfigure those products to use alternative algorithms.”
NIST is required by statute to consult with the NSA on cryptographic matters. With public acknowledgement that at least one of its cryptographic standards wasn’t up to snuff because of the NSA, it’s likely that future collaboration between both agencies will come under more intense public scrutiny.