NIST removes Dual_EC_DRBG

&quot;Draft Special Publication 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators.&quot;<p><a href="http://csrc.nist.gov/publications/drafts/800-90/sp800_90a_r1_draft.pdf" rel="nofollow">http:&#x2F;&#x2F;csrc.nist.gov&#x2F;publications&#x2F;drafts&#x2F;800-90&#x2F;sp800_90a_r1...</a><p>Acknowledgements: The National Institute of Standards and Technology (NIST) gratefully acknowledges.... Mike Boyle and Mary Baish from NSA for assistance in the development of this Recommendation

I&#x27;m glad that NIST removed this from their recommendations.<p>That said, I&#x27;m surprised that it took them this long to do so. From the article:<p><pre><code> &quot;In September 2013, news reports prompted public concern about the trustworthiness of Dual_EC_DRBG...&quot; </code></pre> Dual_EC_DRBG has been suspect for quite a while longer. There were concerns going back to at least 2006: <a href="http://eprint.iacr.org/2006/190" rel="nofollow">http:&#x2F;&#x2F;eprint.iacr.org&#x2F;2006&#x2F;190</a>

Well, given for how long Dual_EC_DRBG has been under suspicion, one cannot congratulate NIST for a proactive stance on security. For what it&#x27;s worth, just go to this page on the NIST homepage:<p><a href="http://csrc.nist.gov/groups/ST/toolkit/examples.html" rel="nofollow">http:&#x2F;&#x2F;csrc.nist.gov&#x2F;groups&#x2F;ST&#x2F;toolkit&#x2F;examples.html</a><p>And it still says:<p><pre><code> Random Number Generation [...] - Recommendation for Random Number Generation Using Deterministic Random Bit Generators [...] - Dual_EC_DRBG (link) [...] CryptoToolkit Webmaster, Disclaimer Notice &amp; Privacy Policy NIST is an Agency of the U.S. Department of Commerce Last updated: Jan 30, 2006 </code></pre> Time for an update or what?

NIST should get a clue and follow Dan Bernstein&#x27;s advices:<p><a href="http://blog.cr.yp.to/20140411-nist.html" rel="nofollow">http:&#x2F;&#x2F;blog.cr.yp.to&#x2F;20140411-nist.html</a>

Thanks to Snowden &amp; Greenwald!

I&#x27;ve gotten a response from Walter Fumy on the ISO stance on Dual_EC_DRBG:<p>&quot;Regarding Dual_EC_DRBG, SC 27 &#x2F; WG 2 resolved at its April 2014 meetings in Hong Kong to issue a corrigendum to ISO&#x2F; IEC 18031:2011 with the effect of removing the Dual_EC_DRBG scheme from the standard. Processing the corrigendum takes some time but should be completed by the end of 2014.<p>In parallel, SC 27 Standing Document SD 12 &quot;Assessment of cryptographic algorithms and key lengths&quot; will be updated to include appropriate advice regarding Dual_EC_DRBG. This should happen by the end of the month.&quot;

I found a presentation (pdf) from a ISO&#x2F;IEC meering late 2013 by Walter Fumy regarding crypto with details on Dual_EC_DRBG and recommendations to ISO. (I&#x27;ve also submitted this to HN, don&#x27;t know if that is ok, but I find thing preso pretty interesting.)<p><a href="http://jtc1info.org/wp-content/uploads/2014/02/ISO-IECJTC1_N11866_R_SC_27_Chairman_s_Presentation_to_.pdf" rel="nofollow">http:&#x2F;&#x2F;jtc1info.org&#x2F;wp-content&#x2F;uploads&#x2F;2014&#x2F;02&#x2F;ISO-IECJTC1_N...</a>

So now we wait for the reaction from ISO and ANSI.<p>I have yet to see any reaction from either organisations regarding the standards ANSI X9.82, Part 3 and ISO&#x2F;IEC 18031:2005 both of which includes Dual_EC_DRBG.<p>NIST rightfully gets a lot of blame and shame for not reacting to Dual_EC_DRBG in a timely manner. But ANSI and ISO standardized Dual_EC_DRBG before NIST and AFAIK has been very numb (and deaf and blind) the whole time. Would love to be proven wrong.

I wish they&#x27;d also remove the NSA

Long waited decision.