Forgot your password?
typodupeerror
Encryption

NIST Removes Dual_EC_DRBG From Random Number Generator Recommendations 86

Posted by Soulskill
from the cryptic-announcement dept.
hypnosec writes: "National Institute of Standards and Technology (NIST) has removed the much-criticized Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) from its draft guidance on random number generators following a period of public comment and review. The revised document retains three of the four previously available options for generating pseudorandom bits required to create secure cryptographic keys for encrypting data. NIST recommends that people using Dual_EC_DRBG should transition to one of the other three recommended algorithms as quickly as possible."
This discussion has been archived. No new comments can be posted.

NIST Removes Dual_EC_DRBG From Random Number Generator Recommendations

Comments Filter:
  • Trust... (Score:3, Insightful)

    by Anonymous Coward on Tuesday April 22, 2014 @03:53PM (#46817791)

    ... So much more easily lost than won. How is anyone supposed to take these new recommendations seriously?

  • by erikkemperman (252014) on Tuesday April 22, 2014 @04:11PM (#46817953)

    NIST recommends that people using Dual_EC_DRBG should transition to one of the other three recommended algorithms as quickly as possible.

    Presumably GP worries that if one out of four options selected by this body is not just flawed but apparently deliberately subverted, what does that say about how well the other three were vetted?

  • by erikkemperman (252014) on Tuesday April 22, 2014 @05:57PM (#46818681)

    Some people claim that it has a backdoor, but that isn't what has been proven. What has been proven is that a backdoor is possible with the technology and you wouldn't know either way.

    The difference is academic, but I suppose you mean as in this [slashdot.org] story about the proof of concept?

    An algorithm for which a backdoor is possible should be considered backdoored. Especially for crypto PRNGs. Anyway, taken in context, which is to say the RSA connection and those unexplained constants P and Q which you couldn't change in certified implementations.. Guess I'm inclined to being just slightly more paranoid these days.

  • by cold fjord (826450) on Tuesday April 22, 2014 @06:16PM (#46818781)

    The problem is that by assuming the worst you can go down the wrong path is the situation isn't in fact worst case. Consider the example of DES encryption. The NSA tweaked the S-box values before the standard was approved. Nobody outside of NSA knew why. Many people suspected some sort of backdoor, but nobody could find one. As a result of the suspicion there were people that refused to use DES. Eventually it emerged that NSA had strengthened DES against secret cryptanalysis techniques that weren't generally known at the time. Many of the people that refused to use DES ended up using encryption schemes that were vulnerable to the secret techniques because they assumed the worst and were wrong. DES held up remarkably well against attacks over time, including attacks that were either invented or reinvented long after DES was approved.

  • by erikkemperman (252014) on Tuesday April 22, 2014 @06:23PM (#46818815)

    You go ahead and keep on using it. Meanwhile, for the rest if us, no proof is needed -- not in the sense that you insist is relevant. The theoretical possibility is enough to ditch this generator. That, and as kasperd and others point out, all those circumstantial bits of evidence... It must take real effort not to see it.

You can do this in a number of ways. IBM chose to do all of them. Why do you find that funny? -- D. Taylor, Computer Science 350

Working...