[146917] in cryptography@c2.net mail archive
Re: [Cryptography] [cryptography] SSH uses secp256/384r1 which has
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Mon Sep 9 18:03:22 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 9 Sep 2013 18:03:14 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Alexander Klimov <alserkli@inbox.ru>
In-Reply-To: <TheMailAgent.7fba669f@6cd5fb8>
Cc: Cryptography List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Mon, 9 Sep 2013 14:07:58 +0300 Alexander Klimov
<alserkli@inbox.ru> wrote:
> On Mon, 9 Sep 2013, Daniel wrote:
> > Is there anyone on the lists qualified in ECC mathematics that can
> > confirm that?
>
> NIST SP 800-90A, Rev 1 says:
>
> The Dual_EC_DRBG requires the specifications of an elliptic curve
> and two points on the elliptic curve. One of the following NIST
> approved curves with associated points shall be used in
> applications requiring certification under [FIPS 140]. More details
> about these curves may be found in [FIPS 186], the Digital
> Signature Standard.
>
> > And what ramifications it has, if any..
>
> No. They are widely used curves and thus a good way to reduce
> conspiracy theories that they were chosen in some malicious way to
> subvert DRBG.
>
Er, don't we currently have documents from the New York Times and the
Guardian that say that in fact they *did* subvert them?
Yes, a week ago this was paranoia, but now we have confirmation, so
it is no longer paranoia.
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
