[146597] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu Sep 5 19:35:51 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 5 Sep 2013 19:35:37 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: John Kelsey <crypto.jmk@gmail.com>
In-Reply-To: <0C2397AE-657D-457A-ACD6-826C80E5A64A@gmail.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey <crypto.jmk@gmail.com>
wrote:
> First, I don't think it has anything to do with Dual EC DRGB. Who
> uses it?
It did *seem* to match the particular part of the story about a
subverted standard that was complained about by Microsoft
researchers. I would not claim that it is the most important part of
the story.
> My impression is that most of the encryption that fits what's in
> the article is TLS/SSL.
Yes, and if they have a real hole there they're exploiting, that is
quite disturbing. If they're merely using a hodge-podge of techniques
to get keys, it is less worrying.
> Where do the world's crypto random numbers come from? My guess is
> some version of the Windows crypto api and /dev/random
> or /dev/urandom account for most of them.
I'm starting to think that I'd probably rather type in the results of
a few dozen die rolls every month in to my critical servers and let
AES or something similar in counter mode do the rest.
A d20 has a bit more than 4 bits of entropy. I can get 256 bits with
64 die rolls, or, if I have eight dice, 16 rolls of the group. If I
mistype when entering the info, no harm is caused. The generator can
be easily tested for correct behavior if it is simply a block cipher.
> What does most of the world's TLS? OpenSSL and a few other
> libraries, is my guess. But someone must have good data about this.
>
> My broader question is, how the hell did a sysadmin in Hawaii get
> hold of something that had to be super secret? He must have been
> stealing files from some very high ranking people.
I believe there was already discussion in the press on that latter
point, but I think it is less germane to our discussion here and
would prefer that we avoid speculating on things that are only of
human/gossip interest.
Perry
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
