Following an announcement by the National Institute of Standards and Technology (NIST), computer and network security company RSA has issued an advisory recommending against the use of a community-developed encryption algorithm that may contain a privacy-affecting backdoor.
The algorithm in question is Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG).
That means all versions of RSA’s BSAFE Toolkits are affected, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C, as well as all versions of RSA’s Data Protection Manager server and clients, according to the RSA advisory.
RSA said customers should choose one of the different cryptographic Pseudo-Random Number Generators (PRNG) built into the BSAFE toolkit.
“To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG,” the advisory said. “Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation at https://knowledge.rsasecurity.com.”
Following the Edward Snowden leaks, the Dual_EC_DRBG has been reported as containing an National Security Agency (NSA) backdoor that would invalidate NIST’s approval of the algorithm as an industry standard.
A NIST spokesperson said earlier this month that it “would not deliberately weaken a cryptographic standard,” and a couple of weeks later the organization issued the announcement suggesting people do not use Dual_EC_DRBG.
RSA declined a SCMagazine.com request for further information.