NIST advises against use of random bit generator algorithm apparently backdoored by NSA


The National Institute of Standards and Technology says cryptographers should not use for now a NIST random bit generator algorithm whose trustworthiness has been called into question by leaks from former intelligence contractor Edward Snowden.

NIST also says it will revise the special publication containing the algorithm, SP 800-90A (.pdf).

"NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used," NIST says in a bulletin (.pdf).

Reporting based on Snowden leaks finds that the National Security Agency appears to have inserted a backdoor into the dual elliptic curve deterministic random bit generation algorithm adopted as a standard by NIST in 2006. The elliptic curve method was one of four incorporated into SP 800-90, which was superseded by 800-90A in January 2012.

Some security researchers suspected (.pdf) almost immediately that the NSA tampered with the algorithm. In 2007, security scientist Bruce Schneier wrote in Wired that the Dual_EC_DRBG algorithm is also "too slow for anyone to willingly use it," and recommended two other deterministic random bit generator methods contained in the NIST special publication. It's only in recent days that NIST has moved to address concerns, however, while also defending its cryptography development process.

In a prepared statement, NIST says it is required by law to consult with the NSA; the intelligence community agency has the mission of both ensuring robust cryptographic standards for federal and military use while also cracking others' encoded communications.

NIST, the statement says, "would not deliberately weaken a cryptographic standard."

In addition to revising SP 800-90A--comments are due by Nov. 6--NIST is also reopening for public comment two other related draft special publications, 800-90B and 800-90C. The three publications are meant to be used together to generate random bit generators.

For more:
- download the NIST bulletin (.pdf)
- go to the NIST statement on its cryptographic development process
- go to a webpage of NIST draft special publications (has links to 800-90A Rev. 1, 800-90B and 800-90C)

Related Articles:
NSA inserted backdoor into NIST random number generator method
NSA backdoor encryption access re-ignites debate over government role in encryption
NSA broke data collection rules, finds audit