[148895] in cryptography@c2.net mail archive
Re: [Cryptography] Dual_EC_DRBG backdoor: a proof of concept
daemon@ATHENA.MIT.EDU (ianG)
Fri Jan 3 11:04:18 2014
X-Original-To: cryptography@metzdowd.com
Date: Fri, 03 Jan 2014 11:25:30 +0300
From: ianG <iang@iang.org>
To: =?ISO-8859-1?Q?Kriszti=E1n_Pint=E9r?= <pinterkr@gmail.com>,
John Kelsey <crypto.jmk@gmail.com>
In-Reply-To: <435004895.20140103084545@gmail.com>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>,
Jon Callas <jon@callas.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 3/01/14 10:45 AM, Kriszti=E1n Pint=E9r wrote:
>
> John Kelsey (at Friday, January 3, 2014, 2:31:00 AM):
>> If we replaced dual ec drbg's output function by taking the parity
>> of the output point's scalar value, it looks to me like we'd have a
>> secure drbg despite the potentially evil choice of P and Q, with
>> whatever good theoretical properties came from dual ec drbg.
>
> dual ec is easy to fix, but what is the point? it is even easier not
> to use it, and use fortuna instead, which is better in every way
> possible. people only use dual ec if they have to, to be compliant
> with whatever standards. but then they can't change it, not even the
> extraction part (heck, they can't even fix the mistakes in the
> documentation, see the case of openssl).
>
This is a seriously good point. Defaults are meant to be changed, and =
are offered as a sort of security feature. Alternatives are offered as =
if this makes sense in a security context [1].
But can defaults be changed? The barrier to this is often high, and too =
high to be realistic or give any security benefit.
Two questions, possibly as research topics:
1. How often are security defaults changed? In any given =
environment such as OpenSSL, etc.
2. How hard is it to change the defaults? What is the mental =
energy, skill & time required? How high is this barrier?
The result of defaults seems to be that they are poorly chosen [2], end =
up being the only choice for 99%, and open up an easy attack, DUAL_EC [3].
iang
[1] http://financialcryptography.com/mt/archives/001461.html
[2] http://financialcryptography.com/mt/archives/001450.html
[3] http://financialcryptography.com/mt/archives/001446.html
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
