NIST SP 800-90A
NIST SP 800-90A ("SP" stands for "special publication") is a publication by the National Institute of Standards and Technology with the title Recommendation for Random Number Generation Using Deterministic Random Bit Generators. The publication contains the specification for four cryptographically secure pseudorandom number generators for use in cryptography: Hash_DRBG (based on hash functions), HMAC_DRBG (Based on Hash-based message authentication code), CTR_DRBG (based on block ciphers), and Dual_EC_DRBG (based on elliptic curve cryptography). The Dual_EC_DRBG RNG was later reported to probably contain a backdoor inserted by the National Security Agency, while the other three random number generators are still considered secure.
As a work of the US Federal Government, NIST SP 800-90A is in the public domain and freely available. However, the version now available [17 Feb 2014] under the original SP 800-90A designation is actually an externally unlabelled version dated internally as January 2012. The updating changes need to be compared to the actual original document. [Needed: a validated link or reference citation to the original version of March 2007.]
Backdoor in Dual_EC_DRBG
As part of the Bullrun program, NSA has been inserting backdoors into cryptography systems. One such target was suggested in 2013 to be Dual_EC_DRBG. The NSA accomplished this by working during the standardization process to eventually become the sole editor of the standard. In getting Dual_EC_DRBG accepted into NIST SP 800-90A, NSA cited prominent security firm RSA Security's usage of Dual_EC_DRBG in their products. However RSA Security had been paid $10 million by NSA to use Dual_EC_DRBG as default, in a deal that Reuters describes as "handled by business leaders rather than pure technologists". As the $10 million contract to get RSA Security to use Dual_EC_DRBG was described by Reuters as secret, the people involved in the process of accepting Dual_EC_DRBG into NIST SP 800-90A were presumably not made aware of this obvious conflict of interest. This might help explain how a random number generator later shown to be inferior to the alternatives (in addition to the back door) made it into the NIST SP 800-90A standard.
The potential for a backdoor in Dual_EC_DRBG had already been documented by Dan Shumow and Niels Ferguson in 2007, but continued to be used in practice by companies such as RSA Security until the 2013 revelation. Given the known flaws in Dual_EC_DRBG, there have subsequently been accusations that RSA Security knowingly inserted a NSA backdoor into its products. RSA has denied knowingly inserting a backdoor into its products.
- Barker, Elaine; Kelsey, John (January 2012). "NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators" (PDF). National Institute of Standards and Technology.
- Green, Matthew (2013-09-20). "RSA warns developers not to use RSA products". Retrieved 2014-08-23.
- Perlroth, Nicole (2013-09-10). "Government Announces Steps to Restore Confidence on Encryption Standards". New York Times. Retrieved 2014-08-23.
- Ball, James; Borger, Julian; Greenwald, Glenn (2013-09-05). "Revealed: how US and UK spy agencies defeat internet privacy and security". The Guardian. Retrieved 2014-08-23.
- Menn, Joseph (2013-12-20). "Exclusive: Secret contract tied NSA and security industry pioneer". Reuters. Retrieved 2014-08-23.
- Bruce Schneier (2007-11-15). "Did NSA Put a Secret Backdoor in New Encryption Standard?". Wired News. Archived from the original on 2013-11-09. Retrieved 2014-08-23.
- Goodin, Dan (2013-09-20). "We don’t enable backdoors in our crypto products, RSA tells customers". Ars Technica. Retrieved 2014-08-23.
- "NIST Invites Comments on Draft SP 800-90A, Revision 1". National Institute of Standards and Technology. 2014-04-21. Retrieved 2014-08-23.