[Infowarrior] - MS to bundle 'broken' random number tool in Vista SP1

[Richard Forno]

MS to bundle 'broken' random number tool in Vista SP1
Developers urged to avoid built-in backdoor
By John Leyden → More by this author
Published Tuesday 18th December 2007 12:04 GMT
http://www.theregister.co.uk/2007/12/18/vista_sp1_rng_backdoor_fears/

Microsoft plans to bundle a cryptographically flawed pseudo random number
generator in its upcoming service pack for Windows Vista.

Cryptographers have expressed concern about a possible backdoor in a
standard for random number generators approved by the National Institute of
Standards and Technology (NIST) this year.

The cryptographically weak Dual_EC_DRBG approach, which is based on the
mathematics of elliptic curves, was one of four "deterministic random bit
generators", approved by the NIST in March.

Flaws in the approach (Dual_EC_DRBG) first emerged in August at the Crypto
2007 conference when cryptographers Dan Shumow and Niels Ferguson
demonstrated that two constants in the standard used to define the
algorithm's elliptic curve have a relationship with a second, secret set of
numbers.

Anyone who had access to the second set of numbers would have a kind of
skeleton key able to unlock any instance of Dual_EC_DRBG. Suspicions that
this weakness might be used as a backdoor have been fueled by the NSA's
support of Dual_EC_DRBG in the standards-setting process.

Random number generators are important because the correct operation of SSL
and other protocols relies on their randomness. Standards set in this area
by NIST are significant because they are likely to be followed by hardware
and software suppliers in much the same way that the Advanced Encryption
Standard (AES), which was also approved under the auspices of the NIST, has
become widely adopted.

Crypto guru Bruce Schneier, who previously described the weakness as a
backdoor, notes that the Dual_EC_DRBG approach will be implemented in
Windows Vista SP1.

Although the technology will not be applied by default, that leaves users
reliant on the good sense of developers in avoiding the cryptographically
weak approach. The default random number generator in Vista SP1 will be
CTR_DRBG, technology based on the AES standard that's reckoned to be far
more robust than Dual_EC_DRBG.

Schneier's latest warning on the issue has sparked a lively discussion on
his blog with participants expressing concern that the flawed Dual_EC_DRBG
random number generator could appear more prominently in either the IE or
.NET developer framework further down the road.