The security of a data connection protected using a flawed U.S. encryption standard promoted by the National Security Agency could be broken in under 16 seconds using a single computer processor. That’s according to the first in-depth study of how easily encryption systems that use the now deprecated Dual_EC random number generator could be defeated by an attacker that had “backdoored” the standard.
The flawed standard has never been widely used to protect Internet communications, even though the security company RSA got $10 million from the NSA to make it the default random number generator in one of its software packages. It is not known whether the NSA or anyone else knows the crucial mathematical relationship needed to exploit the flaw and undo encryption based on Dual_EC.
However, the study conclusively shows that an attacker that did know the key to the Dual_EC backdoor could put it to practical use. Not all of the six different encryption software packages tested could be defeated in seconds: half took a 16-processor cluster between 60 and 80 minutes of work to break. But a national intelligence agency could significantly improve on those times by devoting more computing power to the problem.
MIT Technology Review:
Study Shows Flawed U.S. Encryption Standard Could Be Broken in Seconds