[148549] in cryptography@c2.net mail archive
Re: [Cryptography] What do we know? (Was 'We cannot trust' ...)
daemon@ATHENA.MIT.EDU (ianG)
Sat Dec 21 16:55:34 2013
X-Original-To: cryptography@metzdowd.com
Date: Sat, 21 Dec 2013 09:37:41 +0300
From: ianG <iang@iang.org>
To: Phillip Hallam-Baker <hallam@gmail.com>
In-Reply-To: <52B4044F.7030108@iang.org>
Cc: John Kelsey <crypto.jmk@gmail.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Theodore Ts'o <tytso@mit.edu>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 20/12/13 11:48 AM, ianG wrote:
> What do we know?
...
>> I thought that the evidence we had was an elliptic comment in a
>> powerpoint slide that we have interpreted as being a smoking gun for the
>> already suspect DUAL_EC_NRRNG (Not Really Random Number Generator)
>
>
> We know more than that. They stated they were the sole editor. They
> claim the mission to subvert, as laid out very clearly in their goals
> (snippet above). They have the capability, beyond ours. There is
> sufficient information to show that there was a programme of convincing
> suppliers to prioritise in that direction.
Just on that last point, new data came out yesterday.
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
Two snippets:
"Undisclosed until now was that RSA received $10 million in a deal
that set the NSA formula as the preferred, or default, method for number
generation in the BSafe software, according to two sources familiar with
the contract."
...
"RSA adopted the algorithm even before NIST approved it. The NSA
then cited the early use of Dual Elliptic Curve inside the government to
argue successfully for NIST approval, according to an official familiar
with the proceedings.
RSA's contract made Dual Elliptic Curve the default option for
producing random numbers in the RSA toolkit. ..."
(I haven't seen the original documents, John, have you?)
> In criminal conviction terms, they have the means, the motive and the
> opportunity. They were placed on the scene, at the right time.
>
> We might not get them on the full crime for lack of the smoking gun, but
> they'd likely go down for every lesser degree.
What's interesting in this process is that it lays out *one path* for
subversion in quite good detail. Another snippet:
"... No alarms were raised, former employees said, because the deal
was handled by business leaders rather than pure technologists.
"The labs group had played a very intricate role at BSafe, and they
were basically gone," said labs veteran Michael Wenocur, who left in 1999. "
Companies that have been under attack should take note of these ways:
google, facebook, microsoft, etc, because it is beyond reasonable doubt
that these methods have been tried on them. There is another which I'm
writing up in the background.
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography