As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry...

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
...
Within a year, major questions were raised about Dual Elliptic Curve. Cryptography authority Bruce Schneier wrote that the weaknesses in the formula "can only be described as a back door."


After reports of the back door in September, RSA urged its customers to stop using the Dual Elliptic Curve number generator.

If 40,000,000 stolen credit transactions doesn't rise to the level of a threat to national security, I don't know what would. It would be nice if all that computing power actually did some good.

The dual elliptic curve deterministic random bit generator (Dual EC DRBG) cryptographic algorithm has a dubious history—it is believed to have been backdoored by the US National Security Agency (NSA)—but is mandated by the FIPS 140-2 US government cryptographic standard. That means that any cryptographic library project that is interested in getting FIPS 140-2 certified needs to implement the discredited random number algorithm. But, since certified libraries cannot change a single line—even to fix major, fatal bugs—having a non-working version of Dual EC DRBG may actually be the best defense against the backdoor. Interestingly, that is exactly where the OpenSSL project finds itself.

OpenSSL project manager Steve Marquess posted the tale to the openssl-announce mailing list on December 19. It is, he said, "an unusual bug report for an unusual situation". It turns out that the Dual EC DRBG implementation in OpenSSL is fatally flawed, to the point where using it at all will either crash or stall the program. Given that the FIPS-certified code cannot be changed without invalidating the certification, and that the bug has existed since the introduction of Dual EC DRBG into OpenSSL, it is clear that no one has actually used that algorithm from OpenSSL. It did, however, pass the testing required for the certification somehow.

It is also interesting to note that the financial sponsor of the feature adding support for Dual EC DRBG, who is not named, did so after the algorithm was already known to be questionable. It was part of a request to implement all of SP 800-90A, which is a suite of four DRBGs that Marquess called "more or less mandatory" for FIPS certification. At the time, the project recognized the "dubious reputation" for Dual EC DRBG, but also considers OpenSSL to be a comprehensive library and toolkit: "As such it implements many algorithms of varying strength and utility, from worthless to robust." Dual EC DRBG was not even enabled by default, but it was put into the library.
. . .

So, what we have here is a likely backdoored algorithm that almost no one used (evidently unless they were paid $10 million) added to an open-source cryptography library funded by money from an unnamed third party. After "rigorous" testing, that code was certified as conforming to a US government cryptographic standard, but it never actually worked at all. According to Marquess: "Frankly the FIPS 140-2 validation testing isn't very useful for catching 'real world' problems."

It is almost comical (except to RSA's BSafe customers, anyway), but it does highlight some fundamental problems in the US (and probably other) government certification process. Not finding this bug is one thing, but not being able to fix it (or, more importantly, being unable to fix a problem in an actually useful cryptographic algorithm) without spending lots of time and money on recertification seems entirely broken. The ham-fisted way that the NSA went about putting the backdoor into the standard is also nearly amusing. If all its attempts were similarly obvious and noisy, we wouldn't have much to worry about—unfortunately that seems unlikely to be the case.