[146670] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (Tim Dierks)
Fri Sep 6 13:27:56 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <27AD9020-4050-4E2D-A0F7-F9B89DD67112@math.ntnu.no>
From: Tim Dierks <tim@dierks.org>
Date: Fri, 6 Sep 2013 13:09:19 -0400
To: =?ISO-8859-1?Q?Kristian_Gj=F8steen?= <kristian.gjosteen@math.ntnu.no>
Cc: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============9024811570509749926==
Content-Type: multipart/alternative; boundary=001a11c289be97d42e04e5ba1acd
--001a11c289be97d42e04e5ba1acd
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gj=F8steen <
kristian.gjosteen@math.ntnu.no> wrote:
> Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
>
> I mean, who on earth would be daft enough to use the slowest possible
> DRBG? If this is the best NSA can do, they are over-hyped.
>
It's implemented in Windows and in a number of other libraries*; I can't
find any documentation on which points these implementations use. But I
agree that there's little technical reason to use it=97however, who is to
know that a vendor couldn't be influenced to choose it?
In pursuing the list NIST validations, there's aa number of cases where
Dual_EC_DRBG is the only listed mode, but all of them (with one exception)
are issued to companies where they have other validations, generally on
similar products, so it just looks like they got multiple validations for
different modes. The one exception is Lancope, validation #288, which
validated their use of Dual_EC_DRBG, but no other modes. So it looks like
there's at least one implementation at use in the wild.
- Tim
* - The implementors that NIST
lists<http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html>
are:
RSA, Certicom, Cisco, Juniper, BlackBerry, OpenPeak, OpenSSL, Microsoft,
Mocana, ARX, Cummings Engineering Consultants, Catbird, Thales e-Security,
SafeLogic, Panzura, SafeNet, Kony, Riverbed, and Symantec. (I excluded
validations where the implementation clearly appears to be licensed, but
people can name it anything they want, and some of the above are probably
just OpenSSL forks, etc.)
--001a11c289be97d42e04e5ba1acd
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gj=F8steen <span =
dir=3D"ltr"><<a href=3D"mailto:kristian.gjosteen@math.ntnu.no" target=3D=
"_blank">kristian.gjosteen@math.ntnu.no</a>></span> wrote:<br><div class=
=3D"gmail_extra">
<div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204=
);border-left-style:solid;padding-left:1ex">=A0 =A0 =A0 =A0 Has anyone, any=
where ever seen someone use Dual-EC-DRBG?<br>
<br>
I mean, who on earth would be daft enough to use the slowest possible DRBG?=
If this is the best NSA can do, they are over-hyped.<br></blockquote><div>=
=A0</div><div>It's implemented in Windows and in a number of other libr=
aries*; I can't find any documentation on which points these implementa=
tions use. But I agree that there's little technical reason to use it=
=97however, who is to know that a vendor couldn't be influenced to choo=
se it?</div>
<div><br></div><div>In pursuing the list NIST validations, there's aa n=
umber of cases where Dual_EC_DRBG is the only listed mode, but all of them =
(with one exception) are issued to companies where they have other validati=
ons, generally on similar products, so it just looks like they got multiple=
validations for different modes. The one exception is Lancope, validation =
#288, which validated their use of Dual_EC_DRBG, but no other modes. So it =
looks like there's at least one implementation at use in the wild.</div=
>
<div><br></div><div>=A0- Tim</div><div><br></div><div>* - The implementors =
that=A0<a href=3D"http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgv=
al.html">NIST lists</a>=A0are: RSA, Certicom, Cisco, Juniper, BlackBerry, O=
penPeak, OpenSSL, Microsoft, Mocana, ARX, Cummings Engineering Consultants,=
Catbird, Thales e-Security, SafeLogic, Panzura, SafeNet, Kony, Riverbed, a=
nd Symantec. (I excluded validations where the implementation clearly appea=
rs to be licensed, but people can name it anything they want, and some of t=
he above are probably just OpenSSL forks, etc.)</div>
</div></div></div>
--001a11c289be97d42e04e5ba1acd--
--===============9024811570509749926==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============9024811570509749926==--
