The National Security Agency’s vast spying and surveillance powers have already undermined trust in the United States government around the planet. And American businesses are losing billions as global customers look to alternatives far outside of Washington’s jurisdiction.
Now, an important security algorithm—a random number generator at the core of an alleged $10 million contract between RSA Security and the NSA— will no longer carry governmental approval because of strong suspicion that the NSA has tampered with it.
The National Institute of Standards and Technology (NIST) announced Monday that it will remove the so-called Dual Elliptic Curve Deterministic Random Bit Generator—which the NSA championed years ago, back when its input was welcomed—due to weaknesses and a lack of confidence in the algorithm.
“There’s a legitimate and obvious reason why we would remove it, based solely on our review and the feedback we received,” NIST spokeswoman Jennifer Huergo told the press. The NSIT urged users to back off the encryption algorithm in September after documents leaked by Edward Snowden indicated that it could be backdoored by the NSA.
Perceived problems with the Dual Elliptic Curve Deterministic Random Bit Generator extend back to 2007, when security expert Bruce Schneier revealed that “the algorithm contains a weakness that can only be described as a backdoor.” In December, RSA denied it accepted money from the NSA to weaken its security tools.
“We categorically deny this allegation,” RSA wrote in a blog post. “We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it.”
Despite these claims, suspicions of NSA manipulation still cling to the RSA algorithm’s reputation.
“We don’t know what’s been tampered with,” Schneier told Threatpost in September. “Nothing can be trusted. Everything is suspect.”
H/T Fierce Government | Photo remix by Jason Reed