(Updates with RSA denial)

There has been a lot of furor over the Random Number Generator that the NSA, with a rather heavy hand, apparently forced NIST to accept into its encryption standards.

Bruce Schneier, wrote “ The NSA Is Breaking Most Encryption on the Internet “ and The Guardian reported extensively on the NSA’s project Bullrun, which is apparently a massive ($254.9 million budget) effort to corrupt encryption standards.

Reuters reported December 20th that the NSA had paid RSA $10 million to make the suspect code the default Pseudo Random Number Generator (PRNG) in its BSafe crypto suite. RSA categorically denied the substance of the Reuters report in a blog post on December 22nd.

On December 19, researchers who were responsible for the FIPS certification of the SSL libraries used by all web servers and browsers to encrypt communications announced that there is a bug in the code that renders the offending PRNG useless. In other words no SSL implementation actually uses the NSA generated back door!

The question is why would the NSA work so hard to subvert an encryption standard that is not implemented in SSL?

Bug report: http://marc.info/?l=openssl-announce&m=138747119822324&w=2&x=1

Leave a Reply