A flawed RNG is an attackers dream, and a CISO’s worst nightmare.

 

Here’s exactly how not to use an RNG to generate tokens, keys, seeds and other cryptographic material.

http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/

Someone has a lot of explaining to do no doubt, especially as this flaw has been known since 2007 and easily avoided.

Given the scope of impact as noted in the article, I wonder what this means for any PCI PAN replacement tokens issued by systems which use this fatally flawed NSA RNG backdoor?

Predictable tokens? In scope of  PCI ? Lots of explaining to do…especially when it might not be easy to retokenize away from all those potentially vulnerable tokens.

A flawed random number generator is an attackers dream, and a CISO’s worst nightmare.

Leave a Reply

Your email address will not be published. Required fields are marked *