[149160] in cryptography@c2.net mail archive
[Cryptography] Fwd: RSA is dead.
daemon@ATHENA.MIT.EDU (Jonathan Hunt)
Tue Jan 21 02:57:43 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAM4zyng46OnFPmoLWN_JcZCZRt+ppeFT5SWGGBKGbL1T8FSeHA@mail.gmail.com>
From: Jonathan Hunt <j@me.net.nz>
Date: Mon, 20 Jan 2014 23:51:12 -0800
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Mon, Jan 20, 2014 at 2:10 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> The NIST standard permits the use of user defined curves. They didn't trust
> the Fort Meade folk either. The scheme is secure if you choose your own
> curves but most people don't.
>
> In fact the use of a deterministic RNG with that type of trapdoor is
> arguably a best practice. It provides a way to audit the operation of a
> manufactured device.
>
> The behavior of the device is transparent and deterministic if the backdoor
> constants are known and pseudo random and non predictable otherwise.
>
> The device itself has no way to tell if it is being fed trapdoor constants
> or not and thus no way to tell if is being audited or not.
Fair enough. And then one would expect a competent crypto company to
provide support for DUAL EC which requires the user to generate a set
of constants and refuses to use the NIST defaults.
Good crypto library design should try to make it hard for users to
shoot themselves in the foot (see for example Peter Gutmann's cryptlib).
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
