
NIST removes Dual_EC_DRBG - silenteh
http://www.nist.gov/itl/csd/sp800-90-042114.cfm
======
suprgeek
"Draft Special Publication 800-90A Revision 1, Recommendation for Random
Number Generation Using Deterministic Random Bit Generators."

[http://csrc.nist.gov/publications/drafts/800-90/sp800_90a_r1...](http://csrc.nist.gov/publications/drafts/800-90/sp800_90a_r1_draft.pdf)

Acknowledgements: The National Institute of Standards and Technology (NIST)
gratefully acknowledges.... Mike Boyle and Mary Baish from NSA for assistance
in the development of this Recommendation

~~~
tptacek
Shit! Everyone, switch back to Dual_EC!

------
tjohns
I'm glad that NIST removed this from their recommendations.

That said, I'm surprised that it took them this long to do so. From the
article:

    
    
        "In September 2013, news reports prompted public
        concern about the trustworthiness of Dual_EC_DRBG..."
    

Dual_EC_DRBG has been suspect for quite a while longer. There were concerns
going back to at least 2006:
[http://eprint.iacr.org/2006/190](http://eprint.iacr.org/2006/190)

~~~
sigil
Yes, this is 8 years overdue. As djb points out in a letter to NIST here [1],
this is not just about one specific NIST recommendation that had problems.
There are problems with the standardization process as a whole.

[1]
[http://blog.cr.yp.to/20140411-nist.html](http://blog.cr.yp.to/20140411-nist.html)

------
mrsaint
Well, given for how long Dual_EC_DRBG has been under suspicion, one cannot
congratulate NIST for a proactive stance on security. For what it's worth,
just go to this page on the NIST homepage:

[http://csrc.nist.gov/groups/ST/toolkit/examples.html](http://csrc.nist.gov/groups/ST/toolkit/examples.html)

And it still says:

    
    
      Random Number Generation
      [...]
    
      - Recommendation for Random Number Generation Using Deterministic Random Bit Generators
      [...]
    
      - Dual_EC_DRBG (link)
      [...]
      
      CryptoToolkit Webmaster, Disclaimer Notice & Privacy Policy
      NIST is an Agency of the U.S. Department of Commerce
      Last updated: Jan 30, 2006
    

Time for an update or what?

------
higherpurpose
NIST should get a clue and follow Dan Bernstein's advices:

[http://blog.cr.yp.to/20140411-nist.html](http://blog.cr.yp.to/20140411-nist.html)

~~~
fuqua
If you read the bottom of NIST's press release, they've tasked their Visiting
Committee on Advanced Technology (recently co-chaired by Vint Cerf) to do a
review of NIST's crypto standardization process. Their review will be released
to the public.

See the following for more info on the VCAT:

[http://www.nist.gov/director/vcat/index.cfm](http://www.nist.gov/director/vcat/index.cfm)

------
kzrdude
Thanks to Snowden & Greenwald!

------
JoachimS
I've gotten a response from Walter Fumy on the ISO stance on Dual_EC_DRBG:

"Regarding Dual_EC_DRBG, SC 27 / WG 2 resolved at its April 2014 meetings in
Hong Kong to issue a corrigendum to ISO/ IEC 18031:2011 with the effect of
removing the Dual_EC_DRBG scheme from the standard. Processing the corrigendum
takes some time but should be completed by the end of 2014.

In parallel, SC 27 Standing Document SD 12 "Assessment of cryptographic
algorithms and key lengths" will be updated to include appropriate advice
regarding Dual_EC_DRBG. This should happen by the end of the month."

------
JoachimS
I found a presentation (pdf) from a ISO/IEC meering late 2013 by Walter Fumy
regarding crypto with details on Dual_EC_DRBG and recommendations to ISO.
(I've also submitted this to HN, don't know if that is ok, but I find thing
preso pretty interesting.)

[http://jtc1info.org/wp-content/uploads/2014/02/ISO-
IECJTC1_N...](http://jtc1info.org/wp-content/uploads/2014/02/ISO-
IECJTC1_N11866_R_SC_27_Chairman_s_Presentation_to_.pdf)

------
JoachimS
So now we wait for the reaction from ISO and ANSI.

I have yet to see any reaction from either organisations regarding the
standards ANSI X9.82, Part 3 and ISO/IEC 18031:2005 both of which includes
Dual_EC_DRBG.

NIST rightfully gets a lot of blame and shame for not reacting to Dual_EC_DRBG
in a timely manner. But ANSI and ISO standardized Dual_EC_DRBG before NIST and
AFAIK has been very numb (and deaf and blind) the whole time. Would love to be
proven wrong.

------
peterkelly
I wish they'd also remove the NSA

------
leccine
Long waited decision.

~~~
marshray
Was anyone really waiting?

~~~
dsl
Yes. Lots of large corporations and government agencies point to NIST
standards when making purchasing decisions. So until this got officially
updated, vendors were obligated to sell potentiality insecure products.

~~~
marshray
There's NIST which publishes the definitions, and then there's FIPS which
required the availability of Dual-EC DRBG.

Following FIPS is nontrivial. I've never heard of anyone doing it that wasn't
the US government itself, or a contractor, or a stooge like RSA (which made
Dual-EC their default crypto RNG).

