There has been some hubbub as of late about some ominous involvement of NSA with NIST standards on random number generation – specifically that NSA pushed the DUAL_EC_DRBG algorithm even though it performs relatively slowly and may potentially contain a backdoor.
Bruce Schneier says:
If this story leaves you confused, join the club. I don’t understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It’s public, and rather obvious. It makes no sense from an engineering perspective: It’s too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.
Now we see that Microsoft will be including this random number generator in Vista SP1 and Windows Server 2008. No word on whether or not it will be used internally for any critical system functions, but having it available without any comment leaves the possibility that groups will unknowingly use it when building systems.
Static analysis tools vendors like Fortify do a pretty good job right now looking for insecure programming practices related to cryptography so hopefully they will include rules to check for the use of this algorithm. Also organizations in the know could also add custom rules on their own. The only problem is most organizations aren’t in the know on issues like this.
Given recent paranoid posts in this blog about how social networking sites are actually fronts for government total information awareness programs I’ve been trying really hard to tie this in with that theme. The only thing I can think of is that including this backdoored RNG in Vista SP1 and Windows Server 2008 was a secret term of the Microsoft investment in Facebook. Read between the lines, folks. The truth is out there.
Seriously, though. For completeness and compatibility purposes it probably makes sense for Microsoft to include this RNG implementation with their crypto toolkits. However if there are serious concerns about the algorithm’s strength the documentation should reflect that so teams building software products don’t unwittingly use weak random numbers.
dan _at_ denimgroup.com