An article that surfaced
here by Bruce Schneier caught my attention as Bruce talks about this new standard recently released by the US Government for random number generators. Out of the four different techniques described in this document, one in particular called
Dual_EC_DRBG apparently seems carry an anomaly. In a nut shell
This is how it works: There are a bunch of constants -- fixed numbers -- in the standard used to define the algorithm's elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.
... to put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.
... this is scary stuff indeed
Dramatisized or not, coming from Bruce this makes me raise an eyebrow as he continues to discuss the possible logic behind the NSA's decision to run with this algorithm.
If this story leaves you confused, join the club. I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.
You can already imagine that Bruce does not recommend this random number generator, rather he advises to got with either one of these algorithms
CTR_DRBG or Hash_DRBG.
