Crypto stuff is always fascinating and incredibly complex for us mere mortals. But when it involves another fascinating and complex US government spy agency like NSA, a suspicion of inside job and crypto legend Bruce Schneier, it becomes outright exciting.

Here is the deal : US standard body NIST recently approved a set of crypto standards designed to help generate random numbers to use in crypto. As Bruce Schneier rightly puts it, random numbers are the foundation (and Achille's heel) of all things crypto. Break the random number generator, and you'd probably break the crypto above it.

Now, out of the four random numbers generators NIST approved, three are totally fine. But one appears to be fishy and outright slow. Out of the four standards, this one is precisely the one US secret agency NSA insisted to include. 

This alone is enough to draw the attention of crypto geeks around the world. And they did find some weaknesses when they first looked at the new standard last year. But then, others looked again more recently. And what they found is puzzling the crypto community.

Researchers Dan Shumow and Niels Ferguson showed during the last Crypto 2007 conference in Santa Barbara, California, USA, that the standard presented a specific weakness that could, according to Schneier, "only be described as a backdoor".

The flaw lies in the way the Dual_EC_DRBG chooses its random numbers : while they seem indeed random on the outside, researchers have determined that they are all linked to one specific secret number. Whoever knows that secret number is supposed to be able to decrypt anything based on keys generated with Dual_EC_DRBG's help.

Now, of course, the question is who knows that secret "Master Key". And there, nobody knows. Some say NSA's insistence to push this standard with NIST, while it was already known as not as good as the three others, is fishy. Some others say it's some private contractor at NSA, or an NSA employee working on its behalf. All is known is that anybody involved in creating this standard could have intentionally crafted that secret number.

Now, the scary stuff : an attacker knowing the secret number would only need to intercept 32 bits of the random generator's output. That is, according to Schneier it would be enough to watch a TLS handshake in order to break it.

Like all great secret stories, this one does not end here, though. It gets even more puzzling knowing that it's actually possible to use Dual_EC_DRBG safely by doing what the mystery person did : creating a new "secret number" and keeping it safe. So this backdoor can actually be neutralized. 

Of course, as Schneier points out, out of the many hardware and software vendors that will use NIST standard for generating random numbers in their products, many will probably never bother to change that Master Key...