NSA may have put secret back door in new encryption protocol

Published 21 November 2007

The U.S. government released NIST Special Publication 800-90 — a new official standard for random-number generators — earlier this year; the document contains four different approved techniques (Deterministic Random Bit Generators); one of those generators — the one based on elliptic curves and championed by the NSA — is three orders of magnitude slower than its peers; Why?

Random numbers are critical for cryptography: For encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers, and so on. “Break the random-number generator,” security maven Bruce Schneier writes, “and most of the time you break the entire security system.” This is why, he continues, we should worry about a new random-number standard that includes an algorithm which is slow, badly designed, and just might contain a back door for the National Security Agency (NSA). Note that generating random numbers is not easy, and researchers have discovered many problems and attacks over the years. A recent paper found a flaw in the Windows 2000 random-number generator. Another paper found flaws in the Linux random-number generator. Back in 1996, an early version of SSL was broken because of flaws in its random-number generator. In 1999, Schneier himself, with John Kelsey and Niels Ferguson, coauthored Yarrow, a random-number generator based on the authors’ own cryptanalysis work (Schneier improved the design four years later — and renamed it Fortuna — in the book