Controversial random number generator in Vista Service Pack 1
With its Service Pack 1 for Windows Vista, Microsoft is also adding the Dual_EC_DRBG random number generator. The US standard, released by the National Institute for Standards und Technology (NIST) in "Special Publication 800-90" (PDF) is suspected of containing a back door for the NSA. Programmers can access the new random number generator via an API. But security expert Bruce Schneier emphatically recommends against using it and repeats his suspicion that the algorithm could contain a back door.
Cryptologists Nils Ferguson and Dan Shumow described a weakness of the algorithm at the Crypto 2007 conference. It is based on elliptical curves, described by a set of constants. The trouble is, no explanation has been given of how the constants are derived. The cryptologists demonstrated that the constants must be related to an unknown second set of numbers. This second number set could serve as a kind of master key.
- Backdoor suspected in encryption standard , heise Security alert
- Overview of Windows Vista Service Pack 1, Overview of the changes contained in Service Pack 1 by Microsoft
- Dual_EC_DRBG Added to Windows Vista, Blog entry by Bruce Schneier