On the heels of last week's bombshell that the NSA has effectively bested most common types of encryption, the New York Times has a follow up report that adds some interesting details. According to the Times report, the NSA has specifically compromised the Dual EC DRBG standard -- with the help of Canada. Here's the pertinent part from the Times report:

quote:

---

internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A. In publishing the standard, N.I.S.T. acknowledged “contributions” from N.S.A., but not primary authorship.

Internal N.S.A. memos describe how the agency subsequently worked behind the scenes to push the same standard on the International Organization for Standardization. “The road to developing this standard was smooth once the journey began,” one memo noted. “However, beginning the journey was a challenge in finesse.”

At the time, Canada’s Communications Security Establishment ran the standards process for the international organization, but classified documents describe how ultimately the N.S.A. seized control. “After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft,” the memo notes. “Eventually, N.S.A. became the sole editor."

---

As the Times notes, many security professionals have long had concerns about the National Institute of Standards and Technology's (NIST) close ties with the NSA, and the group obviously now has a lot of work to do to regain trust. NIST issued a statement saying they're required by law to consult with the NSA and that "if vulnerabilities are found in these or any other N.I.S.T. standard," they'll "work with the cryptographic community to address them as quickly as possible."