tlb
Volume 4, Number 43 -- November 27, 2007

Is There an NSA Back Door in Encryption Algorithms?

Published: November 27, 2007

by Timothy Prickett Morgan

In general, security is not a beat we cover very deeply at IT Jungle. The enterprise-class platforms we cover are all designed with many different kinds of security, and we let experts worry about the very hairy details that go into securing platforms, much as end users themselves do when they trust encryption, antivirus, firewall, and other kinds of code. But what happens when the encryption code behind these products is flawed.

A recent story in Wired magazine had a title that jumped out like a criminal wielding a gun: Did NSA Put a Secret Backdoor in New Encryption Standard? It wouldn't surprise many of us if the dominant governments of the world did such a thing, of course. Author Bruce Schneier, a researcher in cryptography, says that the random number generators inside of Windows and Linux have been flawed, and a decade ago, so was the algorithm used in SSL encryption because of a defect in a random number generator. Flaws are bad. But there is apparently a sneaking suspicion among security experts that a new encryption algorithm proposed by the U.S. Commerce Department's National Institute of Standards and Technology, called SP 800-90, and promoted by the U.S. National Security Agency might have a skeleton key.

Yikes.

Without getting too deep into it, the idea is that if you know a secret string of numbers, you can predict the output of the Dual_EC_DRBG random number generator behind the SP 800-90 algorithm; and if you can predict the results of a random number generator, then it ain't random at all, now is it? Dan Shumow and Niels Ferguson of Microsoft have put together a nice presentation talking about the possibility of a back door in the SP 800-90 when using the Dual_EC_DRBG random number generator, which you can read here. You need to know a lot of math to make sense of this, but you get the larger point they are making.

The question everyone wants to know now is this: Who has the constants behind the algorithm? (The Microsoft researchers do not know them, and it is probably impossible to derive them from the algorithm.) Moreover, why would anyone try to slip this one by? Personally, I smell a misdirection tactic, and if I was a security expert, I would be combing over the remaining random number generators for similar, how shall I put this, features.

The good news is that the SP 800-90 standard includes other random number generators. When you are buying security products, check to see if they are using SP 800-90 encryption and make sure it is not using the Dual_EC_DRBG random number generator.



                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
COMPUTER MEASUREMENT GROUP

CMG '07 International Conference
Enterprise Computer Performance Management
December 2-7, San Diego

Learn how to master today's most demanding enterprise computer performance management challenges at CMG '07-December 2-7 in San Diego. CMG '07 is the world's largest gathering of IT professionals focused on performance optimization…capacity planning…and resource management for enterprise computing systems. This 33rd annual conference is sponsored by the Computer Measurement Group (CMG), a not-for-profit worldwide association for systems management professionals.

Register today at www.cmg.org
Or call 800-436-7264
Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik, Kevin Vandever,
Shannon O'Donnell, Victor Rozek, Hesh Wiener, Alex Woodie
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
nuBridges:  Linux-based software for electronic data interchange and secure managed file transfer
IT Security:  Solutions for your Windows & Linux environment
 

IT Jungle Store Top Book Picks

The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
Redefining Security the New Goal of Former i5/OS Security Architect

The System i Fourth Quarter Sales Strategy

Power Systems Division Eyes Cognos Deal; Business Systems Shrugs

As I See It: The Sick Guys in Your Wallet

Four Hundred Stuff
PowerTech Ships i5/OS Syslog Connector for SIEM

Change Management Software Gets Boost from Mighty Ant

Attachmate Ships Emulator, Touts Tolly Report

BCD Delivers Major Update of WebSmart ILE

Big Iron
IBM Acquires BI Software Specialist Cognos for $5 Billion

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
ON vs. WHERE

Odds and Ends

Admin Alert: How Big is My IFS?

System i PTF Guide
November 24, 2007: Volume 9, Number 46

November 17, 2007: Volume 9, Number 45

November 10, 2007: Volume 9, Number 45

November 3, 2007: Volume 9, Number 44

October 27, 2007: Volume 9, Number 43

October 20, 2007: Volume 9, Number 42

The Windows Observer
Windows Server 2008 Pricing and Packaging Set by Microsoft

'Viridian' Hypervisor Gains Formal Name: Hyper-V

Intel Announces First "Penryn" Xeon Processors

Microsoft Makes Gains in HPC Market

The Unix Guardian
Solaris Conversion Rate: Sun Sheds Some Light

Blade Servers Make It to the Top HPC Sites

Intel Announces First "Penryn" Xeon Processors

The Blue Cloud Is IBM's Commercial Cloud Computing

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

Bytware
Storix
Storage Guardian
Arkeia
Computer Measurement Group


Printer Friendly Version


TABLE OF CONTENTS
Blade Servers Make It to the Top HPC Sites

Red Hat and Platform Computing Partner for Supercomputing

HP Closes Out Fiscal 2007 with a Strong Finish

Be My Guest

But Wait, There's More:
IBM Slashes Linux SupportLine Prices for System i and p . . . VMware Floats Beta of Upcoming VMware Server 2 Hypervisor . . . The Blue Cloud Is IBM's Commercial Cloud Computing . . . SMB Shops Optimistic About IT Spending in 2008 . . . Is There an NSA Back Door in Encryption Algorithms? . . . Symantec Surveys Says DR Planning and Testing Are Inadequate . . .

The Linux Beacon

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement