An encryption algorithm with a suspected NSA-designed backdoor has been declared insecure by the developer after years of extensive use by customers worldwide, including the US federal agencies and government entities.
Major US computer security company RSA Security, a division of EMC, has privately warned thousands of its customers on Thursday to immediately discontinue using all versions of company’s BSAFE toolkit and Data Protection Manager (DPM), both using Dual_EC_DRNG (Dual Elliptic Curve Deterministic Random Bit Generator) encryption algorithm to protect sensitive data.
“To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual_EC_DRNG [cryptographic keys generator] and move to a different PRNG [Pseudo-random Number Generator],” warned RSA’s letter, as quoted by The Wall Street Journal.
In the letter the RSA provided BSAFE Toolkits and DPM customers with a link to technical guidance to change the PRNG settings in their products and promised to update the algorithm library.
The letter does not mention RSA’s flagship SecurID tokens, used by millions of employees around the world to get secure access to their corporate networks.
In 2006, the US National Institute of Standards and Technology (NIST) followed by the International Organization for Standardization officially endorsed Dual_EC_DRNG, so encryption software base on it was used for years by both private sector and US government agencies.
Last week the New York Times published new revelations by former National Security Agency contractor Edward Snowden, exposing that crucial encryption algorithm of certain US-developed security software is based on weak mathematical formula intentionally crippled to facilitate NSA access to encrypted dataflow.
- RSA Security Warns of Possible NSA Backdoor (slashdot.org)
- RSA Tells Its Developer Customers: Stop Using NSA-Linked Algorithm (wired.com)
- RSA Security advises users to avoid encryption possibly containing NSA backdoor (slashgear.com)
- Major US security company warns over NSA link to encryption formula (theguardian.com)