NIST drops controversial encryption algorithm

The National Institute of Standards and Technology pulled an encryption algorithm from a security document over concerns that spies were exploiting backdoors in the code.

The National Institute for Standards and Technology has removed a controversial encryption algorithm from a key security document after years of reports that it contained a backdoor for the National Security Agency.

NIST announced Thursday that its revision to Special Publication 800-90A Rev. 1 — Recommendation for Random Number Generation Using Deterministic Random Bit Generators — would permanently remove the Dual Elliptic Curve random number generator (Dual_EC_DRBG) from its list of reliable algorithms. The removal comes after what the agency calls “concerns that it might contain a weakness that attackers could exploit to predict the outcome of random number generation.”

Among those “attackers” could be the NSA. Stories related to the Edward Snowden leaks pegged the agency, which created the algorithm, as having the ability to break the encryption under its Bullrun program.

Random number generation is a keystone of encryption, especially elliptic curve encryption, which creates an extremely complex mathematical problem to protect information. With a backdoor, that protection is rendered useless.


The document also recommends introducing more randomness into a number of other key algorithms, as the refresh keeps the encryption from becoming weak.

NIST has been debating the removal of the Dual_EC_DRBG since April of last year. Last week’s announcement makes the edit permanent.

Latest Podcasts