random numbers for encryption

NIST drops NSA-backed random number generator

In response to public concerns about cryptographic security, the National Institute of Standards and Technology has dropped Dual_EC_DRBG from its list of recommended algorithms for generating the random numbers needed to create secure cryptographic keys for encrypting data.

In its updated guidelines on mechanisms for reliably generating random numbers, NIST said it removed support for Dual_EC_DRBG because of concerns that it might contain a weakness that attackers could exploit to predict the outcome of random number generation.

Because Dual_EC_DRBG was proposed as a standard by the National Security Agency, some thought the NSA may have intentionally weakened it “to allow the agency to access communications protected by products that use Dual_EC,” according to ThreatPost.

NIST continues to recommend the other three algorithms that were included in the previous version of the Recommendation document, which was released in early 2012. 

The revised version also contains several other notable changes, according to NIST. One allows additional options for the use of the CTR_DRBG random number algorithm. Another change recommends reintroducing randomness into deterministic algorithms as often as it is practical, because refreshing them provides additional protection against attack. The document also includes a link to examples that can help developers implement the SP 800-90A random number generators correctly. 

The updated document, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, is available here.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected