One of the recently released Snowden documents mentions the NSA’s success at weakening a 2006 NIST encryption standard and getting it accepted as an international ISO standard. While the standard isn’t named, it is widely assumed to be NIST Special Publication 800-90A with the DualECDRBG random number generator being the weakened algorithm. Indeed, the algorithm was weakened to such an extent that it can be said to have a backdoor.
Matthew Green, a John Hopkins research professor, has a great post on DualECDRBG and its flaws. He explains what the flaw is and how it is exploited. The article is fairly technical but not overly mathematical so interested Irreal readers should be able to follow it without problems.
Ironically, DualECDRBG is very slow (about 3 orders of magnitude slower than the other RNGs in SP 800-90A) so there is no reason to use it except these types of algorithms can be proved to be secure and the cautious implementer may be willing to sacrifice the performance for the security. Unfortunately, NIST neglected to include such a proof in SP 800-90A and when cryptographers took a close look they discovered many problems with the algorithm. Read Green’s post for the details.
Incredibly, despite these problems having been known since 2007, there are still implementations using the algorithm. Meanwhile, NIST has reopened public comment on SP 800-90A and is strongly recommending that DualECDRBG not be used until the standard is reissued.