RSA advises customers to stop using NSA-influenced encryption algorithm
Posted on 20 September 2013.
In the wake of the disclosure that the NSA has influenced NIST to adopt an encryption standard that includes one random bit generator with a weakness known only to the intelligence agency, NIST has reopened the public comment period for the standard so that the public can analyze and comment on it again.

They also promised to work with the cryptographic community to address any vulnerability that may be found, and recommended that the generator in question (Dual_EC_DRBG) no longer be used.

And according to Ars Technica, RSA Security has decided to listen.

The company has sent out an advisory to the developer customers of its BSAFE Toolkits and Data Protection Manager, notifying them that the tools were using the algorithm by default and instructing them on how to change it. All versions of both tools are affected.

According to a company spokesman, RSA is conducting an internal review of all of its products to check whether the algorithm is invoked in any of them, but a source close to the company has confirmed that its flagship product - the two-factor authentication SecurID system - does not use the faulty algorithm.

"At the time, elliptic curves were in vogue and hash-based RNG was under scrutiny. The hope was that elliptic curve techniques—based as they are on number theory—would not suffer many of the same weaknesses as other techniques (like the FIPS 186 SHA-1 generator) that were seen as negative, and Dual_EC_DRBG was an accepted and publicly scrutinized standard," RSA Security CTO Sam Curry explained why the company chose to use the algorithm as default for the two products.

He also added that there were a number of features that made it seem ideal at the time (2004-2005): continuous testing of the output, mandatory re-seeding, optional prediction resistance and the ability to configure for different strengths.

RSA has sent out the advisory to select developers, but this warning should be heeded by many that probably didn't receive it in the email.


The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Aug 29th