The National Institute of Standards and Technology (NIST) has made the decision to abandon a controversial cryptographic algorithm used for random number generation in the wake of allegations that the National Security Agency may have weakened the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) for the benefit of their surveillance activities.
Based on concerns over the algorithm, NIST had recently commenced a public comment period on the embattled algorithm so that researchers could further examine the encryption standard and its overall reliability.
“We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place. NIST would not deliberately weaken a cryptographic standard,” NIST officials stated previously. “If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible.”
NIST has officially announced the decision to remove the cryptographic algorithm from its revised guidance on random number generators provided in the Recommendation for Random Number Generation Using Deterministic Random Bit Generators (NIST Special Publication 800-90A, Rev. 1).
“The revised document retains three of the four previously available options for generating pseudorandom bits needed to create secure cryptographic keys for encrypting data,” NIST stated. “It omits an algorithm known as Dual_EC_DRBG, or Dual Elliptic Curve Deterministic Random Bit Generator. NIST recommends that current users of Dual_EC_DRBG transition to one of the three remaining approved algorithms as quickly as possible.”
The organization made the decision after strong suspicion that the NSA “backdoored” the random bit generator by weakening the encryption process, leaving NIST is in the awkward position of having to announce that they could not endorse their own encryption standard anymore because “recent community commentary has called into question the trustworthiness of these default elliptic curve points.”
Last September, security firm RSA sent an advisory to their developer customers warning against use of a toolkit that employs an NIST encryption algorithm by default that is suspected to have been “backdoored” by the NSA, and in October secure global communications provider Silent Circle announced they would replace NIST cipher suites in their products.
“This doesn’t mean we think that AES is insecure, or SHA–2 is insecure, or even that P–384 is insecure. It doesn’t mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA’s perfidy, along with the rest of the free world. For us, the spell is broken. We’re just moving on. No kiss, no tears, no farewell souvenirs,” wrote Silent Circle co-founder John Callas of the decision.
Read More Here…