[147295] in cryptography@c2.net mail archive
Re: [Cryptography] RSA recommends against use of its own products.
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Kristian_Gj=F8steen)
Wed Sep 25 18:25:45 2013
X-Original-To: cryptography@metzdowd.com
From: =?iso-8859-1?Q?Kristian_Gj=F8steen?= <kristian.gjosteen@math.ntnu.no>
In-Reply-To: <A910B4EF-6D63-4EBE-AB4A-D63EB2494F49@lrw.com>
Date: Wed, 25 Sep 2013 14:29:18 +0200
To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
24. sep. 2013 kl. 18:01 skrev Jerry Leichter <leichter@lrw.com>:
> At the time this default was chosen (2005 or thereabouts), it was *not* a=
"mistake". Dual EC DRBG was in a just-published NIST standard. ECC was "=
hot" as the best of the new stuff - with endorsements not just from NSA but=
from academic researchers.
Choosing Dual-EC-DRBG has been a mistake for its entire lifetime, because i=
t is so slow.
While some reasonable people seem to have a preference for cryptography bas=
ed on number theory, I've never met anyone who would actually use Dual-EC-D=
RBG. (Blum-Blum-Shub-fanatics show up all the time, but they are all nutcas=
es.)
I claim that RSA was either malicious, easily fooled or incompetent to use =
the generator. I will not buy anything from RSA in the future. Were I using=
RSA products or services, I would find replacements.
(For what it's worth, I discounted the press reports about a trapdoor in Du=
al-EC-DRBG because I didn't think anyone would be daft enough to use it. I =
was wrong.)
-- =
Kristian Gj=F8steen
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography