Security firm RSA sent an advisory to their developer customers warning against use of a toolkit that employs an NIST encryption algorithm by default that is suspected to have been “backdoored” by the NSA.
The emailed advisory said the company took the step to “ensure a high level of assurance in their application,” and that “RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG.”
The advisory also included instructions on how customers could disable the algorithm and designate another as the default protocol, and the company stated that they have will make the change in their BSafe and an RSA key management system.
“The currently released and supported versions of the BSAFE libraries (including Crypto-J 6.1.x and Crypto-C ME 4.0.x) and of the RSA DPM clients and servers use Dual EC DRBG as the default PRNG, but most libraries do support other PRNGs that customers can use. We are providing guidance to our customers on how to change the PRNG from the default in their existing implementation,” the RSA advisory stated.
Based on concerns over the algorithm, NIST recently opened a public comment period so that researchers can further examine the encryption standard and its reliability.
“We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place. NIST would not deliberately weaken a cryptographic standard,” NIST officials stated previously. “If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible.”
Read More Here…