Skip to Content

Study Shows Flawed U.S. Encryption Standard Could Be Broken in Seconds

If the NSA did have the keys to the backdoor in a random number generator it could break some encryption without trouble.
March 31, 2014

The security of a data connection protected using a flawed U.S. encryption standard promoted by the National Security Agency could be broken in under 16 seconds using a single computer processor. That’s according to the first in-depth study of how easily encryption systems that use the now deprecated Dual_EC random number generator could be defeated by an attacker that had “backdoored” the standard.

The flawed standard has never been widely used to protect Internet communications, even though the security company RSA got $10 million from the NSA to make it the default random number generator in one of its software packages. It is not known whether the NSA or anyone else knows the crucial mathematical relationship needed to exploit the flaw and undo encryption based on Dual_EC.

However, the study conclusively shows that an attacker that did know the key to the Dual_EC backdoor could put it to practical use. Not all of the six different encryption software packages tested could be defeated in seconds: half took a 16-processor cluster between 60 and 80 minutes of work to break. But a national intelligence agency could significantly improve on those times by devoting more computing power to the problem.

Documents leaked by Edward Snowden, and published in September 2013, do indicate that the NSA has tried to influence standards on encryption, and to encourage commercial companies to make security products more susceptible to U.S. surveillance. Both the National Institute of Standards and Technology (NIST) and RSA withdrew their endorsement for Dual_EC after the Snowden documents were published last year.

The new study was carried out by researchers from Johns Hopkins University, the University of Wisconsin, the Technical Univesity of Eindhoven, the University of Illinois at Chicago, and the University of California San Diego.

NIST first proposed Dual_EC in 2006. Months later two researchers from Microsoft found a mathematical flaw that resembled an intentional “backdoor” that could be used to undo encryption based on the standard.

The weakness centers on two constants, known as P and Q, that function as kind of default settings for the generator and are supposed to be randomly chosen and unrelated to one another. However if there is some mathematical relationship between the two, it can be used to predict the output of the generator based on seeing one of its past outputs.

Some security experts have long suspected that the versions of P and Q in NIST’s version of Dual_EC are linked in some way, and that the NSA knows exactly how, allowing it to undo encryption based on the standard. Those fears gained credence in light of the fact that the Snowden documents showed that the agency did have a policy of trying to influence new standards.

To test what a key to the backdoor in Dual_EC might allow, the researchers set values of P and Q that were linked. They then played the role of an attacker trying to break encrypted TLS connections made by software in use today that supports Dual_EC or once used it by default. TLS connections are widely used to secure Internet data, such as Web browsing, e-mail, and VoIP.

RSA’s two implementations of Dual_EC, both of which used to have it as the default random number generator, proved to be the easiest to break. A version written in the C programming language could be undone in under 16 seconds using a single computer processor, and under three seconds using a computing cluster with 16 processors. A version of RSA’s software written in Java took the cluster around an hour, about the same as one version of Microsoft’s Schannel security software.

That variation in susceptibility was mostly caused by seemingly minor implementation choices made by different software developers. However, the Java version of RSA’s software could be further weakened by enabling an NSA-backed tool, Extended Random, bundled with the software. Turning on that feature sped up the work of backdooring TLS connections by 65,000 times. Extended Random was proposed as a standard to the Internet Engineering Standards Task Force by the NSA and others in 2008, after which RSA added it to some of its software. However few other companies did, and it was dropped from the standardization process.

Keep Reading

Most Popular

This grim but revolutionary DNA technology is changing how we respond to mass disasters

After hundreds went missing in Maui’s deadly fires, rapid DNA analysis helped identify victims within just a few hours and bring families some closure more quickly than ever before. But it also previews a dark future marked by increasingly frequent catastrophic events.

What are AI agents? 

The next big thing is AI tools that can do more complex tasks. Here’s how they will work.

What is AI?

Everyone thinks they know but no one can agree. And that’s a problem.

What’s next for bird flu vaccines

If we want our vaccine production process to be more robust and faster, we’ll have to stop relying on chicken eggs.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.