The National Institute of Standards and
Technology is usually seen as an impartial judge of standards, so this was
potentially catastrophic. This week, NIST denied the allegations, saying they
would never "deliberately weaken a cryptographic standard," but the
damage was done. Had the NSA been poisoning the well of cryptography?
The articles don't name specific programs as a
concession to law enforcement, but the program was widely assumed to be a
standard called the DUAL_EC_DRBG, which many have suspected of being an NSA
plant for years. The algorithm works as a random number generator, but if it
doesn’t work as advertised, it could easily serve as a backdoor codebreak for a
third party like the NSA. (Most encryption schemes rely on random numbers to
foil code-breakers, but if the NSA can guess the "random" string, it
makes the code much easier to crack.) Early suspicions were also raised by two
Microsoft engineers, John Kelsey and Niels Ferguson, which is consistent with
the New York Times' description of the plant. If it's true, it's both good and
bad news: the NSA really did get a bad standard approved by one of the most
important boards in cryptography, but it probably didn't do them any good.
source theverge.com
No hay comentarios:
Publicar un comentario