Are the NIST Standard Elliptic Curves Back-doored?

IamTheRealMike writes "In the wake of Bruce Schneier's statements that he no longer trusts the constants selected for elliptic curve cryptography, people have started trying to reproduce the process that led to those constants being selected ... and found it cannot be done. As background, the most basic standard elliptic curves used for digital signatures and other cryptography are called the SEC random curves (SEC is 'Standards for Efficient Cryptography'), a good example being secp256r1. The random numbers in these curve parameters were supposed to be selected via a "verifiably random" process (output of SHA1 on some seed), which is a reasonable way to obtain a nothing up my sleeve number if the input to the hash function is trustworthy, like a small counter or the digits of PI. Unfortunately it turns out the actual inputs used were opaque 256 bit numbers, chosen ad-hoc with no justifications provided. Worse, the curve parameters for SEC were generated by head of elliptic curve research at the NSA — opening the possibility that they were found via a brute force search for a publicly unknown class of weak curves. Although no attack against the selected values are currently known, it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies. Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation, NIST re-opened the confirmed-bad standards for public comment. Unless NIST/the NSA can explain why the random curve seed values are trustworthy, it might be time to re-evaluate all NIST based elliptic curve crypto in general."

Meta review

[pr0nbot]

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Re:Meta review

[FriendlyLurker]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Exactly. A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable, and they should be put to task over the issue, removed from decision making posts and in the worst cases, professionally shunned by the community and excluded from all standards processes... the cost of not doing this is a return to business as usual once things settle down.

We owe our thanks to Mr. Snowden

[Taco Cowboy]

... A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable

This, and many other expose, can only come to light, because of the courage of a single person - Mr. Edward Snowden.

If not for Mr. Snowden, would we ever discover the phenomenon of the "magic number" ?

If not because of Mr. Snowden, we wouldn't even begin to question the integrity of those previously highly regarded "very important people".

If not for his courage, how much more damage all of us have to suffer ?

And yet, inside the United States of America, there are still people equating Mr. Snowden as though he is a traitor.

And even here in Slashdot, we have posters posting very stinging attack on Mr. Snowden.

Our country is under attack, and the attacker is our own government, but yet, there are still Americans who will do everything to help deepen the tyranny, all in the name of "patriotism".

I, an American citizen, do owe my deepest thanks to Mr. Edward Snowden, and I do hope that more of my fellow Americans should start acknowledge something very very wrong has happened to America, the country we love so much, and that we should start doing something together, to RIGHT THE WRONGS.

There have been too many comments that essentially convey the message that we, the People of America, have no power to determine our own future, and that our government, is so overwhelmingly powerful that we are ready to become their slaves, rather than stand up and oppose the tyranny.

Is America still the land of the free, and the home of the braves ?

Or has American turned into the land of the enslaved, and the home of the cowards ?

The choice is on your hand, my fellow Americans.

Either we start righting the wrongs now, or we will end up handing over to our children a country of tyranny.

Are we going to let our children suffer because of our cowardice ?

You are the only one who can answer the question.

Re:We owe our thanks to Mr. Snowden

[j3thr0]

Except that this came to light back in 2007. http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 [wired.com]

Re:We owe our thanks to Mr. Snowden

[rvw]

Except that this came to light back in 2007.
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 [wired.com]

So why has nobody fixed this in the past six years? Thanks to Snowden it's back in the spotlight, and now it seems like action is being taken. That's his legacy. I thank him for that.

Re:We owe our thanks to Mr. Snowden

[Anonymous Coward]

Before it came to light as a theoretical possibility. People could see that the possibility existed, however accusing the NSA of having used it would be accusing them of deliberately and knowingly weakening the security of systems designed to be used in defence of their country. That is a pretty serious accusation against people who essentially work for the military. Most people's belief in innocent until proven guilty made that a hard case to make.

Now, thanks to Snowdon, we know they have been weakening system security for their own convenience. Suddenly many people's old viewpoints have become obviously naive.

Re:We owe our thanks to Mr. Snowden

[mdielmann]

Wrong. The big problem is the government wants a way to see your data, unconditionally, whether or not you have ever done anything wrong, preferably without you knowing. Their willingness to store the keys somewhere, probably unsafely, for their convenience, rather than putting a back door that someone else might stumble upon is a very minor thing, comparatively.

The Clipper episode doesn't give you insight into technique, in this case. It gives you insight into intent.

Re:We owe our thanks to Mr. Snowden

[IamTheRealMike]

That story is about Dual_EC_DRBG which was indeed strongly suspected of being an NSA back door back in 2007. Snowden confirmed the suspicion. However this story is not about that algorithm. It's about the SEC random curves that are used for signing and other crypto, not random number generation. There are two different algorithms under discussion here.

And was on slashdot in 2007 as well

[gr8_phk]

http://it.slashdot.org/story/07/11/15/184204/new-nsa-approved-encryption-standard-may-contain-backdoor [slashdot.org] I remember at the time it seemed to be confirmed that there IS a backdoor. The question of weather anyone knew the magic numbers to open that door seemed obvious at the time as well - the NSA chose the numbers. It would go against everything they stand for NOT to have the keys.

Side note: Contrary to what some folks claim, this does not make the system weak against any foreign enemy, criminals, or hackers. It makes it weak only to the NSA so long as no one else discovers the master key. Not that this makes it ok, just not as bad as some claim.

Re:

[s.petry]

When it came to light in 2007 why was it tamped down and not dealt with? Is there a history that needs to be audited to explain why it drifted (was pushed?) back into obscurity? Perhaps there's even more value in investigating this. Could there be agents that need to be identified and rooted out?

Because the same corrupt people doing bullshit like this own the media, and have sock puppets for sites like /.. How hard is it for them to currently push things off the front page by submitting numerous seemingly technical articles? How hard is it for people to divert traffic to a "we hate microsoft" thread? I would say just as hard as it is for TV to divert your attention from Syria by showing a nearly naked teenager humping teddy bears.

Hopefully, after all is said and done people catch on and stop fal

Re:

[FriendlyLurker]

Some related reading: "The Responsibility of Intellectuals" [wikipedia.org]

Re:We owe our thanks to Mr. Snowden

[lkcl]

if you've seen the film with nicholas cage, it highlighted for me for the very first time that the U.S. Constitution was written by some extremely fore-sighted people. there are specific words in it which not just permit but *OBLIGATE* you - each and every american citizen - to overthrow any government that has become tyrannical or otherwise lost its way.

given that america has such a significant hold over the rest of the world, *i* as a UK citizen am obligated to point this out to you, because by not doing so it will have an adverse effect (through erosion of sovereign rights of each and every country - erosion initiated by the corrupt U.S. Govt infrastructure) on *my* country to whom *i* hold allegiance.

so - get to it, americans - get your act together!

Re:

[Darinbob]

It wasn't until I saw a Marx Brothers movie that I fully understood communism.

Re:

[chuckinator]

Elliptic curve cryptography looks great on a machine running HollywoodOS at your local cineplex, but I have yet to see a single convincing argument for using it for real life cryptography beyond the cool factor and a bunch of hand waving. It's weak and suffers from weird factorization and Fourier based cryptanalysis, and it's simply inferior to exponentiation based algorithms such as those using in Diffie-Hellman variants, RSA, DSS, krb5, etc.

Re:

[alexgieg]

we should start doing something together, to RIGHT THE WRONGS.

The problem is that whenever discussions on these topics come about, the proposed "solutions" are always framed within the rules set by the power elites. And the power elites are this because they are masters of this game. In fact, they've mastered it so much that nowadays even violent revolutions are no exceptions, they also fit within the rules, just another subset of the same old game.

No, the actual solution is to break the rules altogether. Throughout history what managed to alter the rules the most wer

Re:

[AHuxley]

Re watching slashdot: We are days, weeks, months, years, decades late and talking about whats in the US press over the past days/months.
The best sockpuppets can do is link to science (bread and games) and hope to shape the long term debate away from any more Fourth Amendment/illegality talk.
Enjoy the crypto topics and comment away :)

They know me

[Taco Cowboy]

Thank you Mr. Taco Cowboy (if that's your real name). The FBI should be visiting soon. Please hide your dogs, for their own sake.

Almost every single time I posted a comment that hits the bull's eye someone would counter it with a veil threat, like the above.

FYI, they know who I am.

I came from China, I am a naturalized citizen of the United States of America, and I am currently not living inside the U.S. of A.

In my younger days, I also was involved in some (still secret) military programs.

They have my dossier. They know where I am.

If they want to take me down, they can, any time.

But I am not important. I am expendable.

What is important is the future of my country, the United States of America.

As I said, I came from China, I had had first hand experienced the terror of Tyranny, with a capital "T".

What I, and millions of my former comrades in China had suffered through, I would NOT want you guys in America to go through.

The terror of Tyranny is much more than any Hollywood movie could ever convey.

Go ahead, threatening me more, if that is the thing that makes you feel good.

I have gone through the baptism of hell back when I was in China, death is nothing to be afraid of.

As I said, I am expendable, but the United States of America is not.

Re:

[spire3661]

This is a very Chinese attitude. The nation can crumble around me, if it is deemed corrupt. It is the IDEALS that drive us. When we lose our ideals, we lose the country.

Re:

[MickLinux]

The keys to the definition of kook are held by the government. If you want to know the truth, you have to ignore the label kook.

That doesn't mean that all kooks have the truth. It means that the label kook is often a slanderous title used to hide the truth.

Look at syzygyjob.com, and see the earthquake prediction by Jack Coles. He's rotting in prison even as he does it, calls in his predictions by collect call. I have no idea what he did or is supposed to have done to warrant prision, but

Re:

[Warbothong]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

I think the word "magic" is being used with two different meanings here. One meaning is "arbitrary but consistent": those numbers which must be standardised, such as the SHA seeds used to find these curves. The other meaning is "chosen for completely unknown reasons", which describes these particular seed values. The former is a requirement of most cryptographic standards, but the latter should be avoided. If we need to consistently choose an arbitrary number, let it be 1, or pi, or e. Anything else is susp

Re:Meta review

[afidel]

Suspicious yes, but not necessarily bad, remember that the NSA also manipulated the s-box values for DES to make them more resistant to differential cryptanalysis, a technique not yet known by the wider community.

Re:

[AmiMoJo]

Unless they chose numbers that they could break, but which other country's agencies who also independently discovered differential analysis might not.

At this point I think we have to assume anything that the NSA ever did was malicious.

Re:Meta review

[postbigbang]

Even when pi or rho or other "random" numbers are used for seeds as "magic" numbers, additional hashing and rehashing is needed to give further difficulty to decryption by those NOT having the key numbers.

With each new algorithm there is an army chomping at the bit (pardon the pun) to decrypt it, if not for fun or enlightenment, for the profit of the decrypted information value-- if any.

The problem here is trust. The NSA has blown its trust completely, beyond identifiability. Other initiatives, like SELinux, and security initiatives are now also in question, as well as anything the NSA has touched. They're dirty, and make Americans and the world not trust in their own government. We were supposed to be the good guys, we Yanks, and guess what? It was all a lie. Now the NSA has made an enemy of civil people, and civil people will need to protect themselves extra-governmentally, because the government has proven it's not protecting the interests of its citizenry.

Sorry to astroturf, but seeds are no longer the problem. The problem is trust.

Re:Meta review

[Anonymous Coward]

So I can just replace the NSA's magic-numbers with my own generated from RdRand! *ducks*

Re:

[AmiMoJo]

Seriously though, why don't we do this and also depreciate all suspect PRNGs immediately? Every Linux/BSD distro should be scrambling to do it.

Re:

[GameboyRMH]

You might have seen the story about Linus Torvalds' reaction to calls for this...and he's right. Even if RdRand were entirely predictable, since it's only one input used to seed /dev/random, it could only help.

Re:Meta review

[Dan Ost]

Because the designers of the Linux random number generator code designed things such that if RdRand is compromised, it doesn't reduce the strength of the random number generated. However, if it is not compromised, then the randomness is stronger.

Why should we give up a potential benefit if there is no possible harm?

Re:

[Anonymous Coward]

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

That's easy to explain. Secret orders from secret courts and secret gag orders with secret threats that you will be "relocated" to a secret prison somewhere unless you comply (and keep your objections secret).

Re:

[Qzukk]

how do we explain the common practice of using magic numbers in cryptography standard, then?

They came from the government, and the government is here to help.

Re:Meta review

[kelemvor4]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

Explainable magic numbers.

Re:

[AHuxley]

RE it made DES significantly stronger?
Banks and businesses where to get a strong version. At some point the "industry" went for a weaker code for wider use.
Just good enough for commercial use, just weak enough for NSA/GCHQ to get in if needed.
http://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA.27s_involvement_in_the_design [wikipedia.org]
...'to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key"
It seems the code was helped to be more protected (ie the significantly s

Re:

[Electricity Likes Me]

At the time the performance of DES was a big problem. Processors weren't nearly as fast, the habit of having dedicated coprocessors on portable devices/network cards hadn't yet emerged. There were a lot of good reasons to get the key-size down to something which would actually be usable at the time.

Its still a concern today - AES was selected because it was easier to implement in hardware, amongst other benefits.

Re:Meta review

[Bill, Shooter of Bul]

Wow. You butchered a butchered phrase. Truly, the student has become a more smart man- doesn't need school.

Its " fool me once, shame on - shame on you. Fool me - you can't get fooled again."

Re:Meta review

[daremonai]

Iran is not a semitic country, by and large. The majority of the population is ethnic Persians who speak Farsi, an Indo-European language. The second largest group is the Azerbaijanis, who speak a Turkic language. I don't think the semitic population (mostly Arab and Assyrian) amounts to more than 10%.

Re:Meta review

[Carewolf]

Iranians are NOT semitic, they are Aryan, the name Iran literally means home of the Aryans. Named so because that is the one common thing that separates the various Iranian people from their semitic neighbours the Arabs.

Re:

[mwvdlee]

Somehow I don't think these weaknesses were introduced through any formal part of the process.

Re:

[Nerdfest]

... then perhaps a formal process is required.

Re:

[TWiTfan]

Don't worry, James Clapper has assured us that there is nothing to see here--and that the NSA's petabytes of storage, tens of billions of dollars of CPU muscle, and 35,000 employees are just being used to spy on a few diplomats in some embassy in some country that we don't like anyway (probably one of them commie ones).

Now let's all stop worrying about such silly matters and go buy new iPhones!

Re:

[Boronx]

When I was a kid in the '80s they tried to fingerprint the whole school "for our protection". I never could figure out how that protected us, but I seemed to be the only person who was concerned about.

I honestly don't remember whether or not they got me.

Re:

[X.25]

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Weaknesses?

It is simple. Weakness was 'trust'.

I did want to believe that NSA wouldn't be such cunts as to completely ruin the internet and open research by abusing the trust people gave them. I gave them my trust as well.

They basically destroyed the Internet as we knew it, because much of it was based on trust.

Welcome to collection of commercial networks interconnected for adveritising and content consuming purposes.

Because that's pretty much what's left of it.

Re:

[GameboyRMH]

AFAIK there's no indication that NIST was complicit in this...but if they are I'd agree.

Agree: make a new fully open process, open source

[mrflash818]

Agree: make a new fully open process, open source encryption system, fully peer-reviewed, global internet participation possible, just like the Linux kernel.

Perhaps, like kernel.org, there can be FOE.org (Fully Open Encryption dot org) created.

Then that can be collaborated on via git, the developer community, and the security community. ...just my two cents.

hmmm

[wbr1]

Didn't TOR recently upgrade to the 'more secure' elliptic curve crypto?

This shit will not end until this country is bankrupt completely, or taken over (from within or without).

Re:hmmm

[TWiTfan]

The sad thing is that there is no way to ever put Humpty Dumpty back together again. The U.S. just permanently lost any position as a leading internet innovator. Nothing the U.S. leaders of industry can do now will ever earn back the trust of the rest of the world. No country or company in their right mind will ever trust a U.S. company with sensitive data ever again, and most of the companies that currently do are likely just biding time until they can find a non-U.S. based alternative (or some way to heavily encrypt their data).

Re: hmmm

[sumdumass]

You will find that the majority of decision makers around the world, whether in buisiness or government, will not care as much about this in the long run as you do.

In other words, what you say should be true in book form but will not be true in practice. Many people/governments will not even bother looking to see who is behind what, they will be looking to see if it is an industry accepted standard and our personal concerns will rarely change those. If it could, we wouldn't see wireless at half these busine

Re:

[Boronx]

Their level of concern is proportional to how close their competitors are to the NSA.

Re:

[Lumpy]

Or if the NSA back doors get compromised and are in the wild. Suddenly the Idiot CTO's will take notice.

Re:

[EmperorOfCanada]

Will take time. I suspect that companies like Cisco will sigh a breath of relief over the next few months when sales don't plummet. What they won't realizes is that the biggest companies that have no doubt issued directives for an end to end anti-US snooping overhaul will take a while to figure out what needs to be replaced and which products are best. So while these audits and re-architectings take place these companies will continue with business as usual. And even when the plan is deployed I doubt 100,00

Re:

[gstoddart]

But there is one system that can't be broken and that is one time pads. You have to physically share the pad but that is not so onerous for most companies as they have trusted employees going from branch to branch all the time.

I just don't see that as being as useful here. Or at least, not solving the general problem in a usable way.

Take a multi-national with say, 20 offices, which seems small ... don't you need a OTP for each pair of offices? That's going to turn into a rather large number of OTPs, plus

Re:

[skids]

OTP is a bit of overkill, using a shared secret to generate intermediate keys buys you a lot of lifetime off a small amount of crypto material.

Re:

[gstoddart]

Except, in this case we're talking about how the algorithms themselves might be compromised.

At which point, is your key exchange and encryption all that secure?

From the sounds of it, if you can't trust the underlying crypto, you can't trust what you do with it.

Re:

[dbIII]

Cisco are quite evil without the help of unaccountable spooks, as seen when they had a Canadian man dragged out of a running court session by armed guards over some sort of copyright disagreement. They have zero respect for the law apart for what they can use as a blunt instrument.
Their hardware isn't at the leading edge any more either.

Re:

[Anonymous Coward]

The sad thing is that there is no way to ever put Humpty Dumpty back together again. The U.S. just permanently lost any position as a leading internet innovator.

And because having worked for NSA or NSA-linked contractors is seen as a black mark [ycombinator.com] on one's academic career, NSA has also jeopardized its own ability to recruit the next generation of cryptographers.

There's give and take between the SIGINT and COMSEC missions, and nobody here (or within the IC) is privy to all the information. I fear that by th

Re:hmmm

[joe_frisch]

I think that American users have more to fear from US government spying than foreign users do. Frankly I don't care if the Chinese government has access to all of my personal data - they have very little ability to or interest in interfering with my life. The US government on the other hand is much more likely to act against me in response to my (hypothetical) online mis-behavior. In the same way Chinese citizens have little to fear from the US government but a lot to fear from their own.

The very important exception to this is when you are dealing with industry trade secrets it is quite possible that foreign governments with links to industry represent a larger threat than your own. Of course while the NSA as an organization almost certainly does not sell trade secrets that they have obtained, it is possible that individuals working for the NSA might do so. Snowdon stole a bunch of information and turned it public, another man in the same situation might well have sold it.

Churchill Corollary

[ThatsNotPudding]

No country or company in their right mind will ever trust a U.S. company with sensitive data ever again, and most of the companies that currently do are likely just biding time until they can find a non-U.S. based alternative (or some way to heavily encrypt their data).

The US government is the most untrustworthy government - except for all the others.


:(

Re:

[AHuxley]

Others govs may love of all this as many have been invited into the basic telco/phone tracking and deep packet efforts by contractors.
They can tap/log/track and are just as addicted to the daily file updates on all dissidents.
The US has not much to fear as the AC mentioned trade sanctions and US bilateral trade deals would have telco cooperation in the fine print.
If a US brand loses a contract due to "security questions" expect to see a reminder of what trade is in the local press and a powerful court/tr

Re:hmmm

[HornWumpus]

The Swiss recently sold all the numbered account holders that didn't open their accounts prior to 1950 down the river.

The old money families (Kennedys, DuPonts etc) got to keep their secret accounts secret. Everybody else got fucked.

Re:

[chill]

Those who don't know history are doomed to repeat it.

http://en.wikipedia.org/wiki/Crypto_AG [wikipedia.org]

Re:

[Anonymous Coward]

Yes, but they are using curve25519 which is not one of the curves recommended by NSA or NIST, and which does not have any unexplained magic numbers in its definition.

Re:

[Anonymous Coward]

Yes, but they also use ECDHE TLS p224 to negotiate TLS secret keys. Isn't that recommended by NIST?

I'm not an expert, I'm just asking.

Re:

[Ksevio]

Yeah! So who are we running for President?

Re:Isn't it time we take back our own country ?

[meta-monkey]

I nominate Anonymous Coward.

Re:

[Atzanteol]

It's past that point. Nobody we would want to run would win. If you're not in the two big parties you get no media attention, no money, it's significantly more difficult to get included in debates, etc. IOW it's a doomed candidacy.

Re:

[rvw]

This shit is evidence that this country has *already* been taken over (from within and without)

Isn't it time we, the American Citizens, take back our own country from those fuckers ?

How much longer should we let those fuckers to ruin our country ?

How much longer do we want to be fooled by those fuckers ?

How much longer can our country last, under those fuckers ?

So what are you waiting for? You tell others what to do, and do nothing yourself. That's not going to motivate anybody.
(Disclaimer: I am not a US citizen)

Re:

[Lumpy]

AS soon as you get off your ass and do something other than bitch. I dont see you at any of the rallys or picketing in front of the whitehouse.

Re:Isn't it time we take back our own country ?

[meta-monkey]

Because those are terrible ideas that will have zero effect.

The only way to beat a bureaucracy is at the polls, from the ground up:

1) download your local laws.

2) open in text editor.

3) hack to make them better.

4) get friends/randoms to run for city council with/for you based on those better laws.

5) campaign via social media/crowdfunding

6) win election. Enact laws. Acquire control of pre-built militarized police and tax money

7) use police to fight corruption, taxes to promote education, civic responsibility, transparent government

8) repeat for each city then county then state then nation.

9) ???

10) don't profit because you can't really take lobbying bribes for a distributed lawmaking system.

Why is EC more secure than RSA?

[pikine]

Color me ignorant, but could someone please explain that elliptic curve is more secure than RSA? Wikipedia even claims that a 128-bit EC key is equivalent to 3072-bit RSA key. Even if it's computation complexity brute forcing discrete log or integer factorization on a non-deterministic turing machine, it should differ by no more than a small constant factor, e.g. 512-bit versus 1024-bit, not by O(sqrt(n)) as Wikipedia claims. Wikipedia is simply quoting NSA [nsa.gov].

Re:Why is EC more secure than RSA?

[Anonymous Coward]

The number field sieve relies on the smoothness of the integers modulo n. Using an elliptic curve group rather than the integers modulo n removes this smoothness, so the fastest algorithms available to determine the discrete logarithms are much slower (I believe they're based on Pollard's rho algorithm).

If that made no sense to you, go brush up on your number theory.

If you don't want to learn number theory, then accept that you are incapable of having an informed opinion on asymmetrical cryptography standards. (Which is okay, we can't all have an informed opinion on every issue; your brain can only hold so much stuff, right?)

Re:

[mlts]

I am pretty sure that NeXT took it out because crypto was classified as a munition back then under ITAR, so it was yanked out in a subsequent version. Instead, it had this pseudo public key applet where one could type a password, and the public key was something generated from the password, so when you wanted to sign or decode something, the password was the private key.

I think it was the NSA or someone who goaded Apple into having decent security put in, from the improvements in how passwords were stored

Re:Why is EC more secure than RSA?

[gnasher719]

A 1024 bit RSA key can trivially be cracked in 2^512 operations. An algorithm that uses 2^341 operations (cube root) and involves no more than high school maths was found about 1975. Then we need to go into deep maths, but there are algorithms that are significantly faster, and there is no good reason to think that more progress couldn't be made. 128 vs 3072 is a bit much, but factoring 1024 bit numbers in 2^128 operations doesn't seem impossible.

Re:

[Anonymous Coward]

Public key cryptography is based on mathematical operations which are easy to do but difficult to do in reverse. For example, it is easy to multiply two big prime numbers, but it is difficult to factorize the product. There are multiple such easy-difficult pairs. Currently none of the supposedly difficult problems has been proven to be difficult. It is just assumed that they are difficult because nobody has found an easy way, but people are working on making the difficult problem easier to solve, and advanc

Re:Why is EC more secure than RSA?

[Anonymous Coward]

The discrete log problem on an elliptic curve is believed to be more computationally intensive than the discrete log problem in a ring of integers. For example, see http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866109-5/S0025-5718-1987-0866109-5.pdf and http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=F220DD223483B78B72C9CE243A62ADD7?doi=10.1.1.39.4125&rep=rep1&type=pdf

Factoring integers versus Discrete Log in EC group

[betterunixthanunix]

The difference boils down to factoring integers versus computing discrete logarithms in elliptic curve groups. The best publicly known integer factorization algorithm is GNFS which runs in roughly O(2^(n^1/3)), whereas the best publicly known ECDLOG algorithm runs in O(2^(n^1/2)). That is why we need RSA keys that are so much larger than ECC keys.

That, of course, is a theoretical argument. In practice, there are other issues to consider. ECC has a lot of parameters and there are a lot of constraints

Re:Why is EC more secure than RSA?

[lordlod]

The elliptic-curve algorithm is much slower for future quantum based attacks. So it's future-proofing, which is required if you want your secrets to stay secret.

You could get similar results by adopting a 15000 bit RSA key... but that's getting rather large.

A paper with some classical and quantum time estimates, Elliptic-Curve vs RSA: http://arxiv.org/pdf/quant-ph/0301141v2.pdf [arxiv.org]

Re:

[complete loony]

An RSA private key is two prime numbers, the public key is the product of those primes. You only have to find the smaller of the two secret primes, so a full brute force search only has to consider numbers that are prime and less than the square root of the public key size. And I believe there are a number of other shortcuts that can be used to reduce the search. Whereas for EC keys (AFAIK) practically all of the key space of 128-bit integers are valid private keys.

Not shown to be good

[Anonymous Coward]

Why are people even asking if it's been backdoored? It's already established that no one can explain the constants. It hasn't been shown to not be backdoored. That's enough to prove beyond the shadow of a doubt that it's wrong. Arguing about whether the standard is compromised by mere incompetence or malice, isn't worth spending time on.

If you don't know something is done right, then that alone is irrefutable proof that it has been done wrong. Even if they're good constants.

Re:

[somersault]

It hasn't been shown to not be backdoored

You can't really prove that something doesn't have a back door without putting in enough resources to find all the back doors there could possibly be.. so that doesn't make much sense either.

Re:

[Entropius]

If you find out that the locksmith who installed your locks is working for the mob, changing your locks is probably a pretty good idea. Do you know that he's given them a copy of the master key? No, but a locksmith getting paid by the mob usually means only one thing...

Re:Not shown to be good

[Chacharoo]

I wish the parent were modded up. It's the loss of trust that's the bottom line. The constants may well not be back-doored. Or they may be. But once the trust is gone, and there's no verification of how the numbers arose in the first place, it's already too late.

Reference?

[LWATCDR]

" Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation,"
What confirmation? Really I fear slashdot has become pure click bait.

Re:Reference?

[IamTheRealMike]

Sorry, I could have provided a link for that too. It was in the major Snowden story of last week that revealed the NSA was undermining public standards. The New York Times said this [nytimes.com]:

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

“Eventually, N.S.A. became the sole editor,” the memo says.

Although the NYT didn't explicitly name the bad standard, there's only one that fits the criteria given which is Dual_EC_DRBG.

Re:Reference?

[afidel]

Bruce Schneier talked about DRBG being a probable backdoor back in 2007 [schneier.com].

Re:

[Electricity Likes Me]

The problem I have with this article is that it also doesn't say what "appears to confirm" actually means.

The two quotes would apply as much to the agency pushing a standard through a difficults standards body as it would to hiding a weakness in a standard while doing the same.

Where do these quotes appear? Where is the surrounding context? If you can say the NSA weakened an encryption standard then why can't you give more context since that's almost certainly not a problem people are going to imminently die

Re:

[IamTheRealMike]

I just found this new blog post from the NYT which gives a very small amount of additional context. It also explicitly names the NSA RNG as what they were talking about.

http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/ [nytimes.com]

But internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — whi

Replaced security with obscurity

[Anonymous Coward]

The essence of what the NSA did, was to replace cryptographic security with security through obscurity. People who haven't found the back door yet don't know its there. Classic 'security via obscurity' that is the opposite of crypto.

Now everyone knows they're there, we need to replace them damn fast. Waiting for the backdoor to be verified is too late, by then bad actors (I mean ones other than General Alexander) could already have found it.

Replacing these takes time, and so the assumption should be they are vulnerable, because the NSA leaks show the NSA knows they are vulnerable, even if we don't quite know the micro detail of how, yet.

Open letter to the NSA

[aaaaaaargh!]

Dear NSA,

Since I'm getting tired of these stories and it seems kind of unfair that you're getting all the heat recently, here is my suggestion how you could improve your PR image by doing something to our mutual benefit:

Please use your supercomputers for a few months to aggressively mine Bitcoins and Litecoins. That would make you (virtually) richer than you already are and free me and the rest of the world in future from annoying Bitcoin-mining stories.

If you like this idea, consider donating some Bitcoins to me. You know where to find me.

Thank you for your attention and best regards,

aaaaaaargh!

Re:

[Anonymous Coward]

They are ALL open letters to the NSA.

Re:

[Boronx]

With their computing power, they could just create their own counterfeit bitcoins that would outvote the rest of market, effectively stealing everyone's coins.

The old cypher machine vs your new internet?

[AHuxley]

The darker crypto history of the 1950-80's would point to long term weak export grade devices.
Why this generation of software and hardware would be allowed to be any different seems to have escaped a few people.
First the govs look at the private leadership, the firms, the brands - help stop communists....
If that fails, go for longterm staff with issues.
If that fails, set up a gov backed front company or standard out spending and undercutting any emerging private experts.
Looking back why did so few not

Justified paranoia

[return 42]

I think we are all going to have to be a lot more paranoid from now on about the public comments NIST gets on crypto standards. We can count on NSA to continue to try to mess with the standards, but they won't do it openly. They'll use proxies with no traceable connection to NSA. The crypto experts will have to examine these things a lot more carefully. Hanlon's razor [wikipedia.org] won't cut it anymore.

Excellent Summary

[Bob9113]

I was going to submit the same story. I'm glad I didn't; that summary is much better than what I had in mind. Nicely done, Unknown Lamer, IamTheRealMike, and any other editors who helped. Thank you for your effort on this important topic!

Not paranoid *enough* ?

[pla]

I only see people discussing the first-level implications to privacy and security of the NSA having chosen parameters that lead to a somehow-weak curve. Except - That doesn't take any special NSA magic, they just cheated up front.

Such discussion completely overlooks the much bigger problem here, however - The NSA chose parameters that give a weaker curve. Parameters generated as the output of hashing them with SHA1.

The ability to choose parameters strongly suggests that the NSA has a way to produce input texts that yield a desired SHA1 hash. That takes special NSA magic, and should really count as the FP story here, not the far less impressive trick of stacking the deck in their favor.

Re:

[skids]

SHA1 has been deprecated (mainly as a precaution, but with evidence that attacks were starting to gain a small foothold) since 2005 (by NIST itself even) in favor of the SHA2-240/256/384/512 suite. The question really is why did the selection of SHA1 over a SHA2 variant (I assume in 2007 since that is when the first draft of what became RFC 5639 was published) not raise red flags, in addition to the from-the-sleeve seeds?

It's time for a community rally

[shaitand]

We need community and built and vetted algorithms, easy and in-built encryption that doesn't rely on a "trusted" third party infrastructure, e-mail encryption that just works, zrtp for all voice communications on by default, and a genuinely locked down android system with firewalling.

There are a lot of Google services we rely on that can be replaced with decentralized community replacements. Clearly, Google is working for the enemy. Clearly, Facebook is working for the enemy. Here we can look to TOR and Bit

Fully Open Encryption

[mrflash818]

There may be a solution to the NSA problem:

Make a new fully open process, open source encryption system, fully peer-reviewed, global internet participation possible, global peer review possible.

Use the development of the Linux kernel as a model. Use the global participation of Debian as a model.

Perhaps, like kernel.org, there can be FOE.org (Fully Open Encryption dot org) created.

Then that FOE system and software can be collaborated on via git, the developer community, and the security community. ...just my two cents.

Re:

[IamTheRealMike]

Bitcoin uses what the SEC calls a Koblitz curve (secp256k1) for which there is much less design freedom and it seems much less likely that there is any way to back-door those curves. Unfortunately many ECC implementations don't support all the curves, just a few of the plain vanilla random ones. Actually I'm not aware of anything except Bitcoin that uses secp256k1.

Re:

[Electricity Likes Me]

"Trust" has not been lost, but paranoia seems to be alive and well. Unless you can actually illustrate a possible attack (in the case of ECC the issue was that the PRNG could be hosting a public key as one of its magic numbers which would allow it to be predicted) then your just jumping at ... something less then a shadow.

There seem to be an awful lot of people with no cryptography expertise making grandiose statements, some probably running off to implement their own crypto which will be "NSA free" and so

Re:Is Bitcoin Vulnerable?

[Sique]

So for the NSA to kick out the really problematic implementations, the really secure ones, those they didn't find a backdoor in yet, the NSA will just recommend them?

Re:

[DrXym]

To give everyone a laugh at libertarian nerds who thought it was a great idea to invest in it.

Re:

[ColdWetDog]

Ken Thompson's article "Reflections on Trusting Trust" seems to apply here.
http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]

Even if the numbers are corrected, we have no guarantee that a lower-level system isn't undoing that work. Backdoors can (and probably do) exist in not only compilers, but in hardware. If this is the case, then broken encryption parameters are far less important. For example, git uses SHA1 for encryption. Assuming the scheme isn't already broken, it is likely possible to generate a collision with brute-force (especially if you need only one number). If some link in the git chain were thus broken, a replacement file with a backdoor payload could be injected (eg. in the confusion surrounding the gnu.org repos being hacked). As ken points out, once that initial injection is made (assuming it is of sufficent quality) it can be used to add anything to future compiled versions.

This must be the reason my checking account never balances.....