Cisco, McAfee, Other Firms Addressing NSA-Linked Encryption Algorithm

Printer-friendly version Email this CRN article

Security firms and networking appliance makers are working to identify the products that support a contentious encryption algorithm believed by some cryptographers to be a potential back door used for surveillance activities conducted by the National Security Agency.

None of the technology vendors reached by CRN have the encryption algorithm set by default, but some firms indicated that the algorithm was supported as an option.

Security vendor Mocana, which provides security for mobile devices and embedded systems, is considering a formal warning to customers that a tool it provides for embedded device encryption could have been used to implement the contentious encryption algorithm. The firm told CRN that its NanoCrypto government-certified cryptographic engine had the questionable encryption algorithm as one of three options made available to developers.


[Related: ITIF: NSA Encryption Cracking Could Worsen Potential Losses For U.S. Cloud Industry]

The tool is used to provide encryption for a variety of devices, from medical pumps and pacemakers to industrial manufacturing automation systems used by large defense contractors, said Kurt Stammberger, vice president of market development at Mocana.

"The algorithms in there are not turned on by default, but we will probably be issuing an advisory to our customers to not use the algorithm, and in a future patch turn it off or delete it from the toolkit entirely," Stammberger said.

Stammberger, an early member of RSA -- the security division of EMC -- and founder of the RSA Conference, said the weak encryption algorithm has a significant impact on the entire industry. Patching systems could be costly to technology firms, he said. The loss in confidence from the public and businesses can also have an impact, he said.

"It can have a real economic detriment to American business," Stammberger said.

The encryption algorithm in question is called Dual_EC_DRBG. The pseudo-random number generator had been promoted by the National Institute for Standards and Technology (NIST) as one of four recommended random number generators for use in cryptography. Earlier this month, NIST warned against using Dual_EC_DRBG while cryptographers determine the extent of the algorithm's weaknesses. Leaked documents about the NSA surveillance program outline a multipronged approach to cracking encryption, including spending millions on getting back doors into encryption products.

NEXT: Cisco, Juniper, McAfee Investigating

Printer-friendly version Email this CRN article