Backdoor suspected in encryption standard
In his column for Wired magazine, cryptography guru Bruce Schneier has pointed out a potential backdoor in a new U.S. standard for random number generators. One of the four random number generators published by the National Institute for Standards and Technology (NIST) in its "Special Publication 800-90" (PDF file) – Dual_EC_DRBG – differs noticeably from the rest.
At the Crypto 2007 conference, Nils Ferguson and Dan Shumow described a generator vulnerability (PDF file) which, according to Schneier, should be classified as a potential "backdoor": The algorithm used in Dual_EC_DRBG is based on elliptic curves described by a series of constants. Although these constants are listed in the appendix to the NIST document, there is no description of their origin. Ferguson and Shumow demonstrated that the constants have to relate to an unknown second set of numbers. If someone had access to this second set it would require relatively little effort to turn it into a kind of master key.
Ferguson and Shumow explicitly refrained from implying that the author of the algorithm had "intentionally put a backdoor in the NIST generator" or even was aware of the vulnerability. According to Schneier it is also unknown whether NSA or NIST have access to the second set of numbers. Dual_EC_DRBG can also be implemented in a way which eliminates the backdoor problem. The NIST document describes this as an optional method.
However, Schneier posed the question why the NSA has strongly supported including Dual_EC_DRBG in the standard despite the fact that, in his opinion, this doesn't make sense for several different reasons. This random number generator, for example, is considerably slower than the other three. Schneier recommends that Dual_EC_DRBG not be used, but CTR_DRBG or Hash_DRBG be used instead.