SoylentNews is people
SoylentNews
from the I've-been-waiting-5,9,1,2,1,8-days-for-this dept.
In response to public concerns about cryptographic security, the National Institute of Standards and Technology (NIST) has formally revised its recommended methods for generating random numbers, a crucial element in protecting private messages and other types of electronic data. The action implements changes to the methods that were proposed by NIST last year in a draft document issued for public comment.
The updated document, "Recommendation for Random Number Generation Using Deterministic Random Bit Generators," describes algorithms that can be used to reliably generate random numbers, a key step in data encryption.
One of the most significant changes to the document is the removal of the Dual_EC_DRBG algorithm, often referred to conversationally as the "Dual Elliptic Curve random number generator." This algorithm has spawned controversy because of concerns that it might contain a weakness that attackers could exploit to predict the outcome of random number generation. NIST continues to recommend the other three algorithms that were included in the previous version of the Recommendation document, which was released in early 2012.
http://phys.org/news/2015-06-nist-key-random.html
[Source]: http://www.nist.gov/manuscript-publication-search.cfm?pub_id=918489
[Document]: http://dx.doi.org/10.6028/NIST.SP.800-90Ar1 (PDF, 109 Pages)
Original Submission
(Score: 3, Interesting) by VortexCortex on Sunday June 28 2015, @03:37AM
Most interesting to me is how RSA was apparently given US$10mil to make this deprecated Dual_EC_DRBG algorithm (and its constants) the default [reuters.com] for the widely used BSAFE crypto software suite. Thus leading to its most probably NSA backdoored Pseudo Random Number Generator implementation being used in a wide array of services.
The tyranny of the default strikes again. The sad thing is that the NSA made some suggestions for how SHA3 (Keccak) should be modified, allegedly to improve it's security, but now we must assume that the new NIST standard was weakened instead (better safe than sorry since Snowden docs reveal weakening of publicly available crypto systems as an NSA agenda). Thus, while I support SHA3 I don't recommend its use with my cryptosystems.
In other words: NIST is now moot, we can't take anything they say seriously. The fact they had to respond to public concerns rather than be concerned themselves demonstrates their future recommendations, unfortunately, can not be trusted. The truly sad thing is that I know there are some people in the NSA and NIST which truly care about improving digital security, but we have no way of differentiating their advise from those who wish to implant backdoors or make things more crackable to some exploit known only within the NSA (and whatever foreign powers infiltrate it -- If Snowden is any indication, any foreign government can get at more info than what this outsider contractor did). If you want something done right, you really do have to do it yourself.
If only the NSA truly did support security of the nation through and through and not the buzzword "national security" (maintaining a nation's status quo even against the will of the populace [wikipedia.org]), then they could be tipping off companies and providers of security suites as to which exploits should be patched and what cryptosystems should be deprecated. Indeed, with such a directive they could purchase all the black market exploits the NSA normally does [theatlantic.com] and inform the public of the vulnerabilities rather than leverage them to promote "national security" -- knowing full well that non-official entities (the ones they paid) also have the same exploit capabilities, which actually promotes national insecurity through nondisclosure.
Unfortunately, this move by NIST is too little too late. The Dual_EC_DRBG was suspect at the outset as it's FAR slower than all other recommendations -- thus, only an incompetent or malicious person would make the most inefficient RNG a default. Most glaringly is that it had questionably chosen constants. When a cryptosystem just needs some "random" constants the crypo community raises its eyebrows when the values are dictated specifically without giving a mundane source, such as digits of Pi in binary or some other well known verifiable naturally occurring series -- relying on the fact that if nature selected the constants they were likely not preselected to support a back door (God's dice are for us, not against -- Ignoring allies of Roko's Basilisk). Thus, despite the fact the variables could be changed and even ignoring the millions behind this inferior pseudo random number generator, the fact that unexplained constants from Dual Elliptic Curve DRBG were included in specifications would immediately raise a red flag with any competent security researcher but did not so with NIST demonstrates that NIST doesn't deserve our consideration as a recommender of security protocols now, past, or in the future.
(Score: 2) by dbot on Monday June 29 2015, @10:36AM
Interesting comments - if you'll allow me to be pedantic with respect to the SHA3 business: NIST's recommendations explicitly weakened the algorithm, "in the name of performance".
They had to backtrack because everyone was freaking out about them, and now the standard reflects the original submissions:
https://en.wikipedia.org/wiki/SHA-3#NIST_announcement_controversy [wikipedia.org]
On those grounds, I think that you might be being overly cautious with discrediting its use entirely.