NSA 'altered random-number generator' Published duration 11 September 2013

US intelligence agency the NSA subverted a standards process to be able to break encryption more easily, according to leaked documents.

It had written a flaw into a random-number generator that would allow the agency to predict the outcome of the algorithm, the New York Times reported.

The agency had used its influence at a standards body to insert the backdoor, said the report.

The NSA had made no comment at the time of writing.

According to the report, based on a memo leaked by former NSA contactor Edward Snowden, the agency had gained sole control of the authorship of the Dual_EC_DRBG algorithm and pushed for its adoption by the National Institute of Standards and Technology (Nist) into a 2006 US government standard.

The NSA had wanted to be able to predict numbers generated by certain implementations of the algorithm, to crack technologies using the specification, said the report.

Nist standards are developed to secure US government systems and used globally.

The standards body said that its processes were open, and that it "would not deliberately weaken a cryptographic standard".

"Recent news reports have questioned the cryptographic standards development process at Nist," the body said in a statement

"We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place."

Impact

It was unclear which software and hardware had been weakened by including the algorithm, according to software developers and cryptographers.

For example, Microsoft had used the algorithm in software from Vista onwards, but had not enabled it by default, users on the Cryptography Stack Exchange pointed out.

The algorithm has been included in the code libraries and software of major vendors and industry bodies, including Microsoft, Cisco Systems, RSA, Juniper, RIM for Blackberry, OpenSSL, McAfee, Samsung, Symantec, and Thales, according to Nist documentation

Whether the software of these organisations was secure depended on how the algorithm had been used, Cambridge University cryptographic expert Richard Clayton told the BBC.

"There's no easy way of saying who's using [the algorithm], and how," said Mr Clayton.

Moreover, the algorithm had been shown to be insecure in 2007 by Microsoft cryptographers Niels Ferguson and Dan Shumow, added Mr Clayton.

"Because the vulnerability was found some time ago, I'm not sure if anybody is using it," he said.