A major American computer security company has told thousands of customers to stop using an encryption system that relies on a mathematical formula developed by the
RSA, the security arm of the storage company
The abrupt warning is the latest fallout from the huge intelligence disclosures by the whistleblower
Last week, the New York Times reported that Snowden's cache of documents from his time working for an NSA contractor showed that the agency used its public participation in the process for setting voluntary cryptography standards, run by the government's
RSA's warning underscores how the slow-moving standards process and industry practices could leave many users exposed to hacking by the NSA or others who could exploit the same flaw for years to come.
Encryption systems use pseudo-random number generators as part of a complex mathematical process of creating theoretically uncrackable codes. If the number sequences generated can be predicted, that makes the code crackable, given sufficient computing power.
Ferguson pointed to a 2007 presentation by two researchers from
A person familiar with the process by which NIST would have accepted the PRNG told Reuters that it accepted the code in part because many government agencies were already using it.
RSA had no immediate comment when quizzed by Reuters about the email. It was unclear how the company could reach all the former customers of its development tools, let alone how those programmers could in turn reach all of their customers. That could mean that the weakened PRNG has been used in products spread around the world over the past seven years. Developers who used RSA's "BSAFE" kit wrote code for web browsers, other software and hardware components to increase their security.
He added: "Now that the ruse of covertly influencing standards has become public knowledge, it will be difficult to maintain trust in that system. After all, what's good for the goose is good for the adversary."
After the Times report, NIST said it was inviting public comments as it re-evaluated the formula.
On 10 September, NIST said: "If vulnerabilities are found in these or any other NIST standards, we will work with the cryptographic community to address them as quickly as possible."
Most Popular Stories
- American Airlines, US Airways Complete Merger
- ACA Delay Stresses Small Businesses
- Questions Remain in Jenni Rivera's Death
- Unemployed Wait as Lawmakers Debate
- Harley Issues Motorcycle Recall
- General Dynamics Plans 200 New Jobs in N.M.
- Auto Dealer Builds Big Solar Project
- Entrepreneurs' Next Creation May Be New Laws
- Saab Gets Back into the Game; U.S. Auto Sales Soar
- Dell Offers Undisclosed Number of Employee Buyouts