• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Is There an NSA Back Door in Encryption Algorithms?

    November 26, 2007 Timothy Prickett Morgan

    In general, security is not a beat we cover very deeply at IT Jungle. The enterprise-class platforms we cover are all designed with many different kinds of security, and we let experts worry about the very hairy details that go into securing platforms, much as end users themselves do when they trust encryption, antivirus, firewall, and other kinds of code. But what happens when the encryption code behind these products is flawed.

    A recent story in Wired magazine had a title that jumped out like a criminal wielding a gun: Did NSA Put a Secret Backdoor in New Encryption Standard? It wouldn’t surprise many of us if the dominant governments of the world did such a thing, of course. Author Bruce Schneier, a researcher in cryptography, says that the random number generators inside of Windows and Linux have been flawed, and a decade ago, so was the algorithm used in SSL encryption because of a defect in a random number generator. Flaws are bad. But there is apparently a sneaking suspicion among security experts that a new encryption algorithm proposed by the U.S. Commerce Department’s National Institute of Standards and Technology, called SP 800-90, and promoted by the U.S. National Security Agency might have a skeleton key.

    Yikes.

    Without getting too deep into it, the idea is that if you know a secret string of numbers, you can predict the output of the Dual_EC_DRBG random number generator behind the SP 800-90 algorithm; and if you can predict the results of a random number generator, then it ain’t random at all, now is it? Dan Shumow and Niels Ferguson of Microsoft have put together a nice presentation talking about the possibility of a back door in the SP 800-90 when using the Dual_EC_DRBG random number generator, which you can read here. You need to know a lot of math to make sense of this, but you get the larger point they are making.

    The question everyone wants to know now is this: Who has the constants behind the algorithm? (The Microsoft researchers do not know them, and it is probably impossible to derive them from the algorithm.) Moreover, why would anyone try to slip this one by? Personally, I smell a misdirection tactic, and if I was a security expert, I would be combing over the remaining random number generators for similar, how shall I put this, features.

    The good news is that the SP 800-90 standard includes other random number generators. When you are buying security products, check to see if they are using SP 800-90 encryption and make sure it is not using the Dual_EC_DRBG random number generator.



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: mtfh_rc, Volume 16, Number 37 -- November 26, 2007

    Sponsored by
    Maxava

    Migrating to New IBM i Hardware?

    Whether you are moving to POWER9, Power10, or a cloud hosted system MAXAVA HAS YOU COVERED!

    Learn More

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Merged CMS and XKO Software Businesses Renamed Solarsoft NetManage Fixes Printing, Performance Issues in Web-Based Emulation

    Leave a Reply Cancel reply

TFH Volume: 16 Issue: 37

This Issue Sponsored By

    Table of Contents

    • Redefining Security the New Goal of Former i5/OS Security Architect
    • Redefining Security the New Goal of Former i5/OS Security Architect
    • Redefining Security the New Goal of Former i5/OS Security Architect
    • Reader Feedback on Native .NET for System i
    • IBM Slashes Linux SupportLine Prices for System i and p
    • The System i Fourth Quarter Sales Strategy
    • Is There an NSA Back Door in Encryption Algorithms?
    • Power Systems Division Eyes Cognos Deal; Business Systems Shrugs
    • Top Execs at TomorrowNow Depart, SAP Hints at Sale
    • As I See It: The Sick Guys in Your Wallet

    Content archive

    • The Four Hundred
    • Four Hundred Stuff
    • Four Hundred Guru

    Recent Posts

    • N2i Gains Traction Among IBM i Newbies
    • Realizing The Promise Of Cross Platform Development With VS Code
    • 2023 IBM i Predictions, Part 3
    • Four Hundred Monitor, January 25
    • Join The 2023 IBM i Marketplace Survey Webinar Tomorrow
    • It Is Time To Have A Group Chat About AI
    • 2023 IBM i Predictions, Part 2
    • Multiple Vulnerabilities Pop Up In Navigator For i
    • Participate In The 2023 IBM i Marketplace Survey Discussion
    • IBM i PTF Guide, Volume 25, Number 4

    Subscribe

    To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

    Pages

    • About Us
    • Contact
    • Contributors
    • Four Hundred Monitor
    • IBM i PTF Guide
    • Media Kit
    • Subscribe

    Search

    Copyright © 2022 IT Jungle

    loading Cancel
    Post was not sent - check your email addresses!
    Email check failed, please try again
    Sorry, your blog cannot share posts by email.