Word surfaced not too long ago that the NSA could have a backdoor for a specific type of encryption algorithm popularly used by developers. Today RSA Security, which offers this encryption to its customers by default in a toolkit, has sent out a notification advising those users to stop using it for the time being, as well as instructions for different options.
Said the security bulletin RSA Security posted, “Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used.”
Customers are being told that the BSAFE libraries, RSA DPM clients, and servers all use the Dual EC DRBG as its default PRNG, which stands for Dual Elliptic Curve Deterministic Random Bit Generation and Pseudo-random Number Generators, respectively.
This particular type of algorithm became popular in the middle of the last decade, becoming a National Institute of Standards and Technology standard back in 2007. Such inclusion as a standard is said to have resulted from the NSA itself, which reportedly created a backdoor for the algorithm and then pushed for its widespread implementation.
To further this move away from the standard, RSA Security is conducting an internal review of its offerings and changing all instances of the algorithm’s presence, something that it anticipates wrapping up next week. There will also be a change in the default for its BSAFE Toolkits, as well as algorithm updates when necessary.