[146900] in cryptography@c2.net mail archive
Re: [Cryptography] [cryptography] SSH uses secp256/384r1 which has
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Kristian_Gj=F8steen)
Mon Sep 9 09:05:15 2013
X-Original-To: cryptography@metzdowd.com
From: =?iso-8859-1?Q?Kristian_Gj=F8steen?= <kristian.gjosteen@math.ntnu.no>
In-Reply-To: <20130909084502.GE10405@leitl.org>
Date: Mon, 9 Sep 2013 12:50:29 +0200
To: cryptography@randombit.net,
Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
9. sep. 2013 kl. 10:45 skrev Eugen Leitl <eugen@leitl.org>:
> Forwarded without permission, hence anonymized:
> "
> Hey, I had a look at SEC2 and the TLS/SSH RFCs. SSH uses secp256/384r1
> which has the same parameters as what's in SEC2 which are the same the
> parameters as specified in SP800-90 for Dual EC DRBG!
> TLS specifies you can use those two curves as well...
> Surely that's not coincidence..
> "
The curves are standard NIST curves. They were the curves you used until ab=
out now. That they are the same everywhere is no surprise.
The "problem" with Dual-EC-DRBG was that a point that should have been gene=
rated verifiably at random was not generated verifiably at random. There's =
no reason to believe it wasn't, but it was a stupid mistake that should not=
have been made, and that has now been blown out of all proportion. Users, =
if there are any, should generate their own points verifiably at random.
If you reuse one or more points from Dual-EC-DRBG as generators in other st=
andards, it is of no matter. Even if the points are carefully chosen, they =
cannot compromise those other standards. (DLOG is essentially independent o=
f the generator.)
There's no reason to be paranoid, just because the NSA is out to get you.
-- =
Kristian Gj=F8steen
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
