A draft of revised guidance from the National Institute of Standards and Technology drops a cryptographic algorithm the National Security Agency is believed to have used to circumvent encryption that shields much of global commerce, banking systems, medical records and Internet communications.
NIST on April 21 issued the draft of Special Publication 800-90A, Revision 1, titled "Recommendation for Random Number Generation Using Deterministic Random Bit Generators," to replace guidance originally published in 2006. The agency withdrew that guidance last fall because of concerns an algorithm known as a deterministic random bit generator, or DRBG, could be used as a backdoor to bypass encryption and pilfer information (see NIST to Review Crypto Guidance Methods).
NIST acted after an outcry from the cryptographic community spurred by media reports that the NSA exploited a deterministic random bit generator, known as Dual_EC_DRBG, to evade encryption by using parameters specified in the guidance. That exploit, in turn, could allow attackers to successfully predict the secret cryptographic keys that form the foundation for the assurances provided in the special publication.
"It is clear from the received comments and conversations with representatives from industry and academia that the public does not have confidence in the security provided by the Dual_EC_DRBG," NIST says in a statement. "Although it is possible that the concern could be addressed by generating new parameters using the method in SP 800-90A, after reviewing these comments and conducting its own review of the algorithm, NIST has decided to remove the DRBG from the document."
Doing the Right Thing
Bruce Schneier, a widely followed cryptography expert, says NIST is taking the correct action. "They have to, just to further their credibility, which took an unwarranted hit after this whole thing," Schneier says. "If their standards are going to be used, they need to be trusted. This is a step in regaining that trust."
It's widely believed that NIST was unaware that the NSA muddled with the algorithm. Schneier, who was among the first cryptographers to identify the flaw in the DRBG, says he believes the incident unfairly tarnished NIST's reputation, which is held in high regard by most cryptographers. "The NSA snookered them," he says. "They were just as hoodwinked as everyone else was. They had to respond."
NIST says cryptographers identified this potential weakness during the development of the guidance, and the problem was initially mitigated by providing mechanisms to generate alternative parameters that would not be susceptible to this weakness.
Pending review of public comments on this revised draft, NIST says it intends to publish a final version of SP800-90A that formally withdraws the Dual_EC_DRBG as an approved deterministic random bit generator. NIST says it does not intend to provide a transition period allowing continued use of Dual_EC_DRBG by vendors or users after its removal from SP 800-90A.
NIST advises users and implementers to migrate to one of the three other approved DRBGs specified in SP 800-90A as soon as possible. Schneier says that isn't a problem. "Nobody is actually using it," he says, referring to Dual_EC_DRBG.
As part of the transition plan, NIST says its Cryptographic Algorithm Validation Program would update the validation list for these implementations to reflect the decision that Dual_EC_DRBG would no longer be approved. The Cryptographic Module Validation Program would ensure that modules that depend on an approved DRBG have an alternative DRBG available for use.
NIST requests comments on the second draft of SP 800-90A, which omits the Dual_EC_DRBG, be sent by May 23 with the subject line "Comments on SP 800-90A" to RBG_comments@nist.gov.
In February, NIST issued another draft report proposing a new approach on how it develops cryptographic standards. Comments on the draft of Interagency Report 7766, titled "NIST Cryptographic Standards and Guidelines Development Process," which outlines proposed principles, processes and procedures of NIST's cryptographic standards efforts were due last week (see NIST Unveils Crypto Standards Proposal).