Security freelancer Aris Adamatiadis has published a proof-of-concept code for exploiting a security flaw in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), the random number generator allegedly compromised by the U.S. National Security Agency (NSA) so it could gain access to a particular security product.
Adamantiadis' proof-of-concept generates values for Dual_EC_DRBG's P and Q parameters—which were set by NSA when it developed the algorithm and are not randomly generated—to show that knowing the mathematical relationship between these parameters makes it possible to predict Dual_EC_DRBG's next output.
The publication of the proof-of-concept comes after RSA was accused of having an agreement with NSA to use Dual_EC_DRBG as the default pseudo-random number generator in its BSafe product in order to provide the NSA with a backdoor. RSA has denied those charges.
The use of Dual_EC_DRBG is no longer recommended by the U.S. National Institute of Standards and Technology, and in September, the agency reissued Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, and reopened the discussions around its special papers for the Entropy Sources Used for Random Bit Generation and Recommendation for Random Bit Generator Constructions.
From ZDNet
View Full Article
Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA
No entries found