|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: cryptography@metzdowd.com In-Reply-To: <CAM4zyngMLMMBBBfBJFn2sVsj4Bd5hXfPFjW9JBi7wYrNMUKeiQ@mail.gmail.com> Date: Mon, 20 Jan 2014 17:10:46 -0500 From: Phillip Hallam-Baker <hallam@gmail.com> To: Jonathan Hunt <j@me.net.nz> Cc: Jerry Leichter <leichter@lrw.com>, John Kelsey <crypto.jmk@gmail.com>, cryptography moderated list <cryptography@metzdowd.com>, William Allen Simpson <william.allen.simpson@gmail.com> Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com --===============6009696384277838307== Content-Type: multipart/alternative; boundary=001a11c3560cdecec004f06e2980 --001a11c3560cdecec004f06e2980 Content-Type: text/plain; charset=ISO-8859-1 On Mon, Jan 20, 2014 at 3:15 PM, Jonathan Hunt <j@me.net.nz> wrote: > On Mon, Jan 20, 2014 at 11:39 AM, Jerry Leichter <leichter@lrw.com> wrote: > > On Jan 20, 2014, at 12:49 PM, John Kelsey <crypto.jmk@gmail.com> wrote: > > This is one reason I find all the whining about the NSA/RSA business a > bit of revisionist history. You can't look at what RSA did in the light of > what we know today. You have to look at it based on what was known or > reasonably strongly suspected at the time. Certainly at the time DUAL EC > DRBG was added to the NIST standards, and RSA added it to BSAFE, NSA was > accepted in the role of "helper". The demonstration that it *could* have a > trap door didn't show it *did* have a trap door - and after all NSA was > fulfilling its role of helping to improve the security of American > communications, no? (Well, that *was and is* one of its legally-defined > roles, and that was the one we all saw, repeatedly, in public.) > > Here is the presentation from 2007 > http://rump2007.cr.yp.to/15-shumow.pdf > demonstrating that when the constants are chosen they are able to > break DUAL EC. Note, not speculating, but demonstrating a working > attack (using their own chosen constants). "In every experiment 32 > bytes of output was sufficient to uniquely identify the internal state > of the PRNG." > > So the only unknown after 2007 was, does someone have the secrets from > the NIST specified constants? This is MUCH worse than some theoretical > weakness that may or may not turn out to be important. This is a > practical break. > > No competent crypto company could be recommending DUAL EC after 2007. > No speculation about whether they should or shouldn't have trusted NSA > is needed. After 2007, DUAL EC was a known badly broken PRNG, > demonstrated a public presentation for respected crytographers. To > continue to leave it as the default for the next 5 years is a total > failure at their core business. > They were a little subtler. The NIST standard permits the use of user defined curves. They didn't trust the Fort Meade folk either. The scheme is secure if you choose your own curves but most people don't. In fact the use of a deterministic RNG with that type of trapdoor is arguably a best practice. It provides a way to audit the operation of a manufactured device. The behavior of the device is transparent and deterministic if the backdoor constants are known and pseudo random and non predictable otherwise. The device itself has no way to tell if it is being fed trapdoor constants or not and thus no way to tell if is being audited or not. -- Website: http://hallambaker.com/ --001a11c3560cdecec004f06e2980 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail= _quote">On Mon, Jan 20, 2014 at 3:15 PM, Jonathan Hunt <span dir=3D"ltr">&l= t;<a href=3D"mailto:j@me.net.nz" target=3D"_blank">j@me.net.nz</a>></spa= n> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex"><div class=3D"im">On Mon, Jan 20, 2014 at 11= :39 AM, Jerry Leichter <<a href=3D"mailto:leichter@lrw.com">leichter@lrw= .com</a>> wrote:<br> > On Jan 20, 2014, at 12:49 PM, John Kelsey <<a href=3D"mailto:crypto= .jmk@gmail.com">crypto.jmk@gmail.com</a>> wrote:<br> </div><div class=3D"im">> This is one reason I find all the whining abou= t the NSA/RSA business a bit of revisionist history. =A0You can't look = at what RSA did in the light of what we know today. =A0You have to look at = it based on what was known or reasonably strongly suspected at the time. = =A0Certainly at the time DUAL EC DRBG was added to the NIST standards, and = RSA added it to BSAFE, NSA was accepted in the role of "helper". = =A0The demonstration that it *could* have a trap door didn't show it *d= id* have a trap door - and after all NSA was fulfilling its role of helping= to improve the security of American communications, no? =A0(Well, that *wa= s and is* =A0one of its legally-defined roles, and that was the one we all = saw, repeatedly, in public.)<br> <br> </div>Here is the presentation from 2007<br> <a href=3D"http://rump2007.cr.yp.to/15-shumow.pdf" target=3D"_blank">http:/= /rump2007.cr.yp.to/15-shumow.pdf</a><br> demonstrating that when the constants are chosen they are able to<br> break DUAL EC. Note, not speculating, but demonstrating a working<br> attack (using their own chosen constants). "In every experiment 32<br> bytes of output was sufficient to uniquely identify the internal state<br> of the PRNG."<br> <br> So the only unknown after 2007 was, does someone have the secrets from<br> the NIST specified constants? This is MUCH worse than some theoretical<br> weakness that may or may not turn out to be important. This is a<br> practical break.<br> <br> No competent crypto company could be recommending DUAL EC after 2007.<br> No speculation about whether they should or shouldn't have trusted NSA<= br> is needed. After 2007, DUAL EC was a known badly broken PRNG,<br> demonstrated a public presentation for respected crytographers. To<br> continue to leave it as the default for the next 5 years is a total<br> failure at their core business.<br></blockquote><div><br></div><div>They we= re a little subtler.</div><div><br></div><div>The NIST standard permits the= use of user defined curves. They didn't trust the Fort Meade folk eith= er. The scheme is secure if you choose your own curves but most people don&= #39;t.</div> <div><br></div><div><br></div><div>In fact the use of a deterministic RNG w= ith that type of trapdoor is arguably a best practice. It provides a way to= audit the operation of a manufactured device.</div><div><br></div><div> The behavior of the device is transparent and deterministic if the backdoor= constants are known and pseudo random and non predictable otherwise.</div>= <div><br></div><div>The device itself has no way to tell if it is being fed= trapdoor constants or not and thus no way to tell if is being audited or n= ot.</div> <div><br></div></div><div><br></div>-- <br>Website: <a href=3D"http://halla= mbaker.com/">http://hallambaker.com/</a><br> </div></div> --001a11c3560cdecec004f06e2980-- --===============6009696384277838307== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography --===============6009696384277838307==--
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |