What NIST protocol was allegedly backdoored by NSA in 2006?

Question

From a recent NY Times article:

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

“Eventually, N.S.A. became the sole editor,” the memo says.

What protocol was adopted by NIST in 2006, then subsequently broken by MS employees in 2007?

Answer 1

The standard in question was the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), standardized in NIST Special Publication 800-90. In this case, it was not a protocol, but instead a random number generator. It wasn't exactly "broken"; instead, it was proven that there existed a "master key", if you will, that would allow someone to predict the stream of "random" bits. (That is, the PRNG isn't really random if you happen to know the proper numbers.)

Despite that the cryptography community has been aware of this for some time now, this discovery has resurfaced in the recent media firestorm surrounding the Snowden leaks. Note that we aren't really sure if the NSA really constructed the backdoor, or if they have the backdoor "key", although recent events seem to suggest that they do.

You can find some more information at these links:

• Who uses Dual_EC_DRBG?, a recent question on this site
• The Strange Story of Dual_EC_DRBG, a blog post by Schneier on the matter (from 2007, mind you!)

and of course, the citations at the bottom of the above-linked Wikipedia article are always nice to look at.