Secure messaging app Threema and NIST SP 800-90A

Recently the RSA, a major US computer security firm, told its customers that a random number generator, Dual EC DRBG (NIST 800-90A) used in its software may contain a NSA backdoor and advised it’s customers to discontinue its use: Deliberately flawed? RSA Security tells customers to drop NSA-related encryption algorithm. As this is one of a number of random number generators used in elliptic curve cryptography used in secure messaging app Threema we contacted the Kasper Systems to check this wasn’t a known flaw in their service, see their response below:

Image

While not revealing the random number generator used, it does offer some reassurance that this particular vulnerability isn’t included in the software. Further details of the encryption used can be found in the Threema FAQ.

Advertisements