RSA advises customers to stop using NSA-influenced encryption algorithm
Posted on 20 September 2013.
In the wake of the disclosure that the NSA has influenced NIST to adopt an encryption standard that includes one random bit generator with a weakness known only to the intelligence agency, NIST has reopened the public comment period for the standard so that the public can analyze and comment on it again.


They also promised to work with the cryptographic community to address any vulnerability that may be found, and recommended that the generator in question (Dual_EC_DRBG) no longer be used.

And according to Ars Technica, RSA Security has decided to listen.

The company has sent out an advisory to the developer customers of its BSAFE Toolkits and Data Protection Manager, notifying them that the tools were using the algorithm by default and instructing them on how to change it. All versions of both tools are affected.

According to a company spokesman, RSA is conducting an internal review of all of its products to check whether the algorithm is invoked in any of them, but a source close to the company has confirmed that its flagship product - the two-factor authentication SecurID system - does not use the faulty algorithm.

"At the time, elliptic curves were in vogue and hash-based RNG was under scrutiny. The hope was that elliptic curve techniques—based as they are on number theory—would not suffer many of the same weaknesses as other techniques (like the FIPS 186 SHA-1 generator) that were seen as negative, and Dual_EC_DRBG was an accepted and publicly scrutinized standard," RSA Security CTO Sam Curry explained why the company chose to use the algorithm as default for the two products.

He also added that there were a number of features that made it seem ideal at the time (2004-2005): continuous testing of the output, mandatory re-seeding, optional prediction resistance and the ability to configure for different strengths.

RSA has sent out the advisory to select developers, but this warning should be heeded by many that probably didn't receive it in the email.









Spotlight

Leveraging network intelligence and deep packet inspection

Posted on 26 November 2014.  |  Tomer Saban, CEO of WireX Systems, talks about how deep packet inspection helps with identifying emerging threats, the role of network intelligence, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //