Computers by their nature cannot do anything truly random. Most ciphers need a random number as a starting point. Because that number isn't truly random, cryptographers may be able use that weakness to undermine the whole, otherwise secure and encrypted secret.
Well, NIST apparently got EC_DRBG from NSA and published it as part of its Suite B ciphers in NIST Special Publication 800-90A from 2006. Suite B is a collection of ciphers, and RNGs, that must be included in computers sold to the U.S. government and any required participating contractor. In short, if you want to sell your computers or software to the U.S. government (the largest single buyer of computers) and tens of millions of other people, you need to have Suite B ciphers in your operating system or application if it will be used to encrypt content.
Almost immediately, a team of respected cryptographers noted that EC_DRBG could have a mathematical "flaw" that would lead to the RNG not being so random, and thus undermining any cipher that used it. After further review, the researchers were fairly confident that EC_DRBG was indeed flawed and possibly contained a "magic number," which if known or discovered, would lead to its complete undoing. This is heady stuff in the cryptographic world, and as expected, it made headlines around the world. By at least 2007, anyone following the cryptographic world knew EC_DRBG was a problem.
Still, it was a required RNG, and all vendors had to include it as a choice. Luckily, the Suite B ciphers had three other RNGs that vendors could use. In general, most systems supporting Suite B ciphers never used the flawed RNG. Get that? They had to include the underlying instructions for EC_DRBG and the ability to implement it, but few vendors actually used it or activated it.
At least one vendor, however, did implement EC_DRBG. RSA used it in BSAFE, one of its most popular products. EC_DRBG was enabled as the default in one or more BSAFE features. Last month, the company released a statement to customers advising them to stop using the algorithm.
Understandably, NIST is now coming under increased scrutiny. It has made public statements maintaining it would never knowingly implement a flawed cipher -- and would make changes to ensure flawed ciphers would not be recommended in the future.
But if we're to place our confidence in that statement, NIST needs to answer a key question: If the world knew that NIST's standards contained a flawed cipher component for more than six years, why didn't NIST remove it?
I recommend that all encryption users review their ciphers and ensure they don't actively incorporate EC_DRBG. If so, you have a bone to pick with your software vendor.
This story, "Is your security vendor colluding with the NSA?," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.