two
Volume 4, Number 43 -- November 28, 2007

Is There an NSA Back Door in Encryption Algorithms?

Published: November 28, 2007

by Timothy Prickett Morgan

In general, security is not a beat we cover very deeply at IT Jungle. The enterprise-class platforms we cover are all designed with many different kinds of security, and we let experts worry about the very hairy details that go into securing platforms, much as end users themselves do when they trust encryption, antivirus, firewall, and other kinds of code. But what happens when the encryption code behind these products is flawed.

A recent story in Wired magazine had a title that jumped out like a criminal wielding a gun: Did NSA Put a Secret Backdoor in New Encryption Standard? It wouldn't surprise many of us if the dominant governments of the world did such a thing, of course. Author Bruce Schneier, a researcher in cryptography, says that the random number generators inside of Windows and Linux have been flawed, and a decade ago, so was the algorithm used in SSL encryption because of a defect in a random number generator. Flaws are bad. But there is apparently a sneaking suspicion among security experts that a new encryption algorithm proposed by the U.S. Commerce Department's National Institute of Standards and Technology, called SP 800-90, and promoted by the U.S. National Security Agency might have a skeleton key.

Yikes.

Without getting too deep into it, the idea is that if you know a secret string of numbers, you can predict the output of the Dual_EC_DRBG random number generator behind the SP 800-90 algorithm; and if you can predict the results of a random number generator, then it ain't random at all, now is it? Dan Shumow and Niels Ferguson of Microsoft have put together a nice presentation talking about the possibility of a back door in the SP 800-90 when using the Dual_EC_DRBG random number generator, which you can read here. You need to know a lot of math to make sense of this, but you get the larger point they are making.

The question everyone wants to know now is this: Who has the constants behind the algorithm? (The Microsoft researchers do not know them, and it is probably impossible to derive them from the algorithm.) Moreover, why would anyone try to slip this one by? Personally, I smell a misdirection tactic, and if I was a security expert, I would be combing over the remaining random number generators for similar, how shall I put this, features.

The good news is that the SP 800-90 standard includes other random number generators. When you are buying security products, check to see if they are using SP 800-90 encryption and make sure it is not using the Dual_EC_DRBG random number generator.



                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
VIBRANT TECHNOLOGIES

HP, IBM and Sun Server Deals via RSS

                                                  · Subscribe to our Specials via RSS
                                                  · Up to 80% off manufacturer's list price
                                                  · Multi-million dollar inventory

We Buy & Sell new and remarketed servers,
upgrades, peripherals and parts.

HP Proliant, IBM xSeries, IBM pSeries, RS6000,
HP Integrity, Sun Microsystems, Cisco, more…
888-443-8606

View or Subscribe to:
Special Offers on Servers and Upgrades
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
World Data Products:  Free Server Spec Book for the design, installation and maintenance of servers
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 
 

IT Jungle Store Top Book Picks

The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
Redefining Security the New Goal of Former i5/OS Security Architect

The System i Fourth Quarter Sales Strategy

Power Systems Division Eyes Cognos Deal; Business Systems Shrugs

As I See It: The Sick Guys in Your Wallet

The Linux Beacon
Blade Servers Make It to the Top HPC Sites

Red Hat and Platform Computing Partner for Supercomputing

HP Closes Out Fiscal 2007 with a Strong Finish

Be My Guest

Four Hundred Stuff
NetManage Fixes Printing, Performance Issues in Web-Based Emulation

Verastream Streamlines Host Access for Hospital Billing Specialist

Help/Systems Extends Robot to Linux Servers

VAI Gives Retailers a Windows Option for Backup

Big Iron
IBM Previews z/VSE V4.2, Releases DB2 Server V7.5

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
ON vs. WHERE

Odds and Ends

Admin Alert: How Big is My IFS?

System i PTF Guide
November 24, 2007: Volume 9, Number 46

November 17, 2007: Volume 9, Number 45

November 10, 2007: Volume 9, Number 45

November 3, 2007: Volume 9, Number 44

October 27, 2007: Volume 9, Number 43

October 20, 2007: Volume 9, Number 42

The Unix Guardian
Solaris Conversion Rate: Sun Sheds Some Light

Blade Servers Make It to the Top HPC Sites

Intel Announces First "Penryn" Xeon Processors

The Blue Cloud Is IBM's Commercial Cloud Computing

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

Vision Solutions
Computer Measurement Group
Storage Guardian
IT Security
Vibrant Technologies


Printer Friendly Version


TABLE OF CONTENTS
Bleak Outlook for Information Security, According to Researchers

Emerging Markets and Virtualization Drive Q3 Server Sales

New Windows Operating Systems Put to the Speed Test

HP Closes Out Fiscal 2007 with a Strong Finish

But Wait, There's More:
Visual Studio 2008 Released to Manufacturing . . . VMware Floats Beta of Upcoming VMware Server 2 Hypervisor . . . Climate Savers Launches 'Green' Computer Catalog . . . AMR Predicts Moderate ERP Spending Growth for 2008 . . . SMB Shops Optimistic About IT Spending in 2008 . . . Is There an NSA Back Door in Encryption Algorithms? . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement