In the wake of the disclosure that the NSA has influenced NIST to adopt an encryption standard that includes one random bit generator with a weakness known only to the intelligence agency, NIST has reopened the public comment period for the standard so that the public can analyze and comment on it again.
They also promised to work with the cryptographic community to address any vulnerability that may be found, and recommended that the generator in question (Dual_EC_DRBG) no longer be used.
And according to Ars Technica, RSA Security has decided to listen.
The company has sent out an advisory to the developer customers of its BSAFE Toolkits and Data Protection Manager, notifying them that the tools were using the algorithm by default and instructing them on how to change it. All versions of both tools are affected.
According to a company spokesman, RSA is conducting an internal review of all of its products to check whether the algorithm is invoked in any of them, but a source close to the company has confirmed that its flagship product – the two-factor authentication SecurID system – does not use the faulty algorithm.
“At the time, elliptic curves were in vogue and hash-based RNG was under scrutiny. The hope was that elliptic curve techniques—based as they are on number theory—would not suffer many of the same weaknesses as other techniques (like the FIPS 186 SHA-1 generator) that were seen as negative, and Dual_EC_DRBG was an accepted and publicly scrutinized standard,” RSA Security CTO Sam Curry explained why the company chose to use the algorithm as default for the two products.
He also added that there were a number of features that made it seem ideal at the time (2004-2005): continuous testing of the output, mandatory re-seeding, optional prediction resistance and the ability to configure for different strengths.
RSA has sent out the advisory to select developers, but this warning should be heeded by many that probably didn’t receive it in the email.