Vulnerability Management

NIST and RSA recommend avoiding encryption algorithm standard

Following an announcement by the National Institute of Standards and Technology (NIST), computer and network security company RSA has issued an advisory recommending against the use of a community-developed encryption algorithm that may contain a privacy-affecting backdoor.

The algorithm in question is Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG).

That means all versions of RSA's BSAFE Toolkits are affected, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C, as well as all versions of RSA's Data Protection Manager server and clients, according to the RSA advisory.  

RSA said customers should choose one of the different cryptographic Pseudo-Random Number Generators (PRNG) built into the BSAFE toolkit.

“To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG,” the advisory said. “Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation at https://knowledge.rsasecurity.com.”

Following the Edward Snowden leaks, the Dual_EC_DRBG has been reported as containing an National Security Agency (NSA) backdoor that would invalidate NIST's approval of the algorithm as an industry standard.

A NIST spokesperson said earlier this month that it “would not deliberately weaken a cryptographic standard,” and a couple of weeks later the organization issued the announcement suggesting people do not use Dual_EC_DRBG.

RSA declined a SCMagazine.com request for further information.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.