"Draft Special Publication 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators."<p><a href="http://csrc.nist.gov/publications/drafts/800-90/sp800_90a_r1_draft.pdf" rel="nofollow">http://csrc.nist.gov/publications/drafts/800-90/sp800_90a_r1...</a><p>Acknowledgements:
The National Institute of Standards and Technology (NIST) gratefully acknowledges.... Mike Boyle and Mary Baish from NSA for assistance in the
development of this Recommendation
I'm glad that NIST removed this from their recommendations.<p>That said, I'm surprised that it took them this long to do so. From the article:<p><pre><code> "In September 2013, news reports prompted public
concern about the trustworthiness of Dual_EC_DRBG..."
</code></pre>
Dual_EC_DRBG has been suspect for quite a while longer. There were concerns going back to at least 2006: <a href="http://eprint.iacr.org/2006/190" rel="nofollow">http://eprint.iacr.org/2006/190</a>
Well, given for how long Dual_EC_DRBG has been under suspicion, one cannot congratulate NIST for a proactive stance on security. For what it's worth, just go to this page on the NIST homepage:<p><a href="http://csrc.nist.gov/groups/ST/toolkit/examples.html" rel="nofollow">http://csrc.nist.gov/groups/ST/toolkit/examples.html</a><p>And it still says:<p><pre><code> Random Number Generation
[...]
- Recommendation for Random Number Generation Using Deterministic Random Bit Generators
[...]
- Dual_EC_DRBG (link)
[...]
CryptoToolkit Webmaster, Disclaimer Notice & Privacy Policy
NIST is an Agency of the U.S. Department of Commerce
Last updated: Jan 30, 2006
</code></pre>
Time for an update or what?
NIST should get a clue and follow Dan Bernstein's advices:<p><a href="http://blog.cr.yp.to/20140411-nist.html" rel="nofollow">http://blog.cr.yp.to/20140411-nist.html</a>
I've gotten a response from Walter Fumy on the ISO stance on Dual_EC_DRBG:<p>"Regarding Dual_EC_DRBG, SC 27 / WG 2 resolved at its April 2014 meetings in Hong Kong to issue a corrigendum to ISO/ IEC 18031:2011 with the effect of removing the Dual_EC_DRBG scheme from the standard.
Processing the corrigendum takes some time but should be completed by the end of 2014.<p>In parallel, SC 27 Standing Document SD 12 "Assessment of cryptographic algorithms and key lengths" will be updated to include appropriate advice regarding Dual_EC_DRBG. This should happen by the end of the month."
I found a presentation (pdf) from a ISO/IEC meering late 2013 by Walter Fumy regarding crypto with details on Dual_EC_DRBG and recommendations to ISO. (I've also submitted this to HN, don't know if that is ok, but I find thing preso pretty interesting.)<p><a href="http://jtc1info.org/wp-content/uploads/2014/02/ISO-IECJTC1_N11866_R_SC_27_Chairman_s_Presentation_to_.pdf" rel="nofollow">http://jtc1info.org/wp-content/uploads/2014/02/ISO-IECJTC1_N...</a>
So now we wait for the reaction from ISO and ANSI.<p>I have yet to see any reaction from either organisations regarding the standards ANSI X9.82, Part 3 and ISO/IEC 18031:2005 both of which includes Dual_EC_DRBG.<p>NIST rightfully gets a lot of blame and shame for not reacting to Dual_EC_DRBG in a timely manner. But ANSI and ISO standardized Dual_EC_DRBG before NIST and AFAIK has been very numb (and deaf and blind) the whole time. Would love to be proven wrong.