RSA Security is telling its developer clients to stop using an algorithm that could contain an NSA backdoor, according to a new report in Wired.
RSA advises those developers to switch from using the SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation (also known as Dual EC DRBG) algorithm to another supported random-number-generating algorithm. All versions of RSA’s BSAFE Toolkits, along with RSA Data Protection Manager (DPM) server and clients, are apparently subject to the advisory.
Earlier in September, The New York Times published a report suggesting that the NSA had used a combination of supercomputers and coding know-how to subvert the encryption underlying many of the Web’s major tools, including the algorithms that safeguard the world’s banking and e-commerce platforms. Government whistleblower Edward Snowden, who has spent the past several months leaking top-secret material about the NSA to The Guardian (which subsequently offered a portion of it to the Times), provided documents that suggested the secretive agency has spent billions installing algorithmic backdoors in these platforms by stealth.
“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” suggested a 2010 memo written by analysts at Britain’s Government Communications Headquarters, as quoted by the Times. “Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
Even if the NSA hasn’t managed to crack through every encryption tool on the market, the effort to do so is a worrisome development for any IT security company that depends on its clients feeling their data is safe and secure. The stakes are even higher for RSA Security, which faced controversy in 2011 over vulnerabilities in its SecurID tokens; companies such as SAP ended up replacing thousands of the devices after an unknown party managed to breach RSA’s systems.
So while the National Institute of Standards and Technology (NIST) looks into the vulnerability of the accused algorithm, RSA Security is moving with an abundance of caution.
Image: Maksim Kabakou/Shutterstock.com