|
Is There an NSA Back Door in Encryption Algorithms?
Published: November 26, 2007
by Timothy Prickett Morgan
In general, security is not a beat we cover very deeply at IT Jungle. The enterprise-class platforms we cover are all designed with many different kinds of security, and we let experts worry about the very hairy details that go into securing platforms, much as end users themselves do when they trust encryption, antivirus, firewall, and other kinds of code. But what happens when the encryption code behind these products is flawed.
A recent story in Wired magazine had a title that jumped out like a criminal wielding a gun: Did NSA Put a Secret Backdoor in New Encryption Standard? It wouldn't surprise many of us if the dominant governments of the world did such a thing, of course. Author Bruce Schneier, a researcher in cryptography, says that the random number generators inside of Windows and Linux have been flawed, and a decade ago, so was the algorithm used in SSL encryption because of a defect in a random number generator. Flaws are bad. But there is apparently a sneaking suspicion among security experts that a new encryption algorithm proposed by the U.S. Commerce Department's National Institute of Standards and Technology, called SP 800-90, and promoted by the U.S. National Security Agency might have a skeleton key.
Yikes.
Without getting too deep into it, the idea is that if you know a secret string of numbers, you can predict the output of the Dual_EC_DRBG random number generator behind the SP 800-90 algorithm; and if you can predict the results of a random number generator, then it ain't random at all, now is it? Dan Shumow and Niels Ferguson of Microsoft have put together a nice presentation talking about the possibility of a back door in the SP 800-90 when using the Dual_EC_DRBG random number generator, which you can read here. You need to know a lot of math to make sense of this, but you get the larger point they are making.
The question everyone wants to know now is this: Who has the constants behind the algorithm? (The Microsoft researchers do not know them, and it is probably impossible to derive them from the algorithm.) Moreover, why would anyone try to slip this one by? Personally, I smell a misdirection tactic, and if I was a security expert, I would be combing over the remaining random number generators for similar, how shall I put this, features.
The good news is that the SP 800-90 standard includes other random number generators. When you are buying security products, check to see if they are using SP 800-90 encryption and make sure it is not using the Dual_EC_DRBG random number generator.
 Post this story to del.icio.us
 Post this story to Digg
 Post this story to Slashdot
|
|
Do you need area code information?
Do you need ZIP Code information?
Do you need ZIP+4 information?
Do you need city name information?
Do you need county information?
Do you need a nearest dealer locator system?
We can HELP! We have affordable AS/400 software and data to do all of the above. Whether you need a simple city name retrieval system or a sophisticated CASS postal coding system, we have it for you!
The ZIP/CITY system is based on 5-digit ZIP Codes. You can retrieve city names, state names, county names, area codes, time zones, latitude, longitude, and more just by knowing the ZIP Code. We supply information on all the latest area code changes. A nearest dealer locator function is also included. ZIP/CITY includes software, data, monthly updates, and unlimited support. The cost is $495 per year.
PER/ZIP4 is a sophisticated CASS certified postal coding system for assigning ZIP Codes, ZIP+4, carrier route, and delivery point codes. PER/ZIP4 also provides county names and FIPS codes. PER/ZIP4 can be used interactively, in batch, and with callable programs. PER/ZIP4 includes software, data, monthly updates, and unlimited support. The cost is $3,900 for the first year, and $1,950 for renewal.
Just call us and we'll arrange for 30 days FREE use of either
ZIP/CITY or PER/ZIP4.
WorksRight Software, Inc.
Phone: 601-856-8337
Fax: 601-856-9432
E-mail: software@worksright.com
Web site: www.worksright.com
|
Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Brian Kelly, Shannon O'Donnell,
Mary Lou Roberts, Victor Rozek, Kevin Vandever, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
|
IT Jungle Store Top Book Picks
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
|
|
November 10, 2007: Volume 9, Number 45
November 3, 2007: Volume 9, Number 44
October 27, 2007: Volume 9, Number 43
October 20, 2007: Volume 9, Number 42
October 13, 2007: Volume 9, Number 41
October 6, 2007: Volume 9, Number 40
|
|
|
|
