[146652] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (=?windows-1252?Q?Kristian_Gj=F8ste)
Fri Sep 6 12:40:55 2013
X-Original-To: cryptography@metzdowd.com
From: =?windows-1252?Q?Kristian_Gj=F8steen?= <kristian.gjosteen@math.ntnu.no>
In-Reply-To: <CAD5Uzx9RHvO9h+5B3+46=VFbvXrcpcJBqJn2WTATPeEi9z9bBg@mail.gmail.com>
Date: Fri, 6 Sep 2013 09:03:27 +0200
To: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
5. sep. 2013 kl. 23:14 skrev Tim Dierks <tim@dierks.org>:
> I believe it is Dual_EC_DRBG. The ProPublica story says:
> Classified N.S.A. memos appear to confirm that the fatal weakness, discov=
ered by two Microsoft cryptographers in 2007, was engineered by the agency.=
The N.S.A. wrote the standard and aggressively pushed it on the internatio=
nal group, privately calling the effort =93a challenge in finesse.=94 =
> This appears to describe the NIST SP 800-90 situation pretty precisely. I=
found Schneier's contemporaneous article to be good at refreshing my memor=
y: http://www.wired.com/politics/security/commentary/securitymatters/2007/1=
1/securitymatters_1115
As a co-author of an analysis of Dual-EC-DRBG that did not emphasize this p=
roblem (we only stated that Q had to be chosen at random, Ferguson &co were=
right to emphasize this point), I would like to ask:
Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
I mean, who on earth would be daft enough to use the slowest possible DRBG?=
If this is the best NSA can do, they are over-hyped.
(If you really do want to use Dual-EC-DRBG: truncate more than 16 bits, and=
don't use NSA's points, choose your own - at random.)
-- =
Kristian Gj=F8steen
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
