Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Are the NIST Standard Elliptic Curves Back-doored? 366

Posted by Unknown Lamer
from the nsa-versus-nist dept.
IamTheRealMike writes "In the wake of Bruce Schneier's statements that he no longer trusts the constants selected for elliptic curve cryptography, people have started trying to reproduce the process that led to those constants being selected ... and found it cannot be done. As background, the most basic standard elliptic curves used for digital signatures and other cryptography are called the SEC random curves (SEC is 'Standards for Efficient Cryptography'), a good example being secp256r1. The random numbers in these curve parameters were supposed to be selected via a "verifiably random" process (output of SHA1 on some seed), which is a reasonable way to obtain a nothing up my sleeve number if the input to the hash function is trustworthy, like a small counter or the digits of PI. Unfortunately it turns out the actual inputs used were opaque 256 bit numbers, chosen ad-hoc with no justifications provided. Worse, the curve parameters for SEC were generated by head of elliptic curve research at the NSA — opening the possibility that they were found via a brute force search for a publicly unknown class of weak curves. Although no attack against the selected values are currently known, it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies. Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation, NIST re-opened the confirmed-bad standards for public comment. Unless NIST/the NSA can explain why the random curve seed values are trustworthy, it might be time to re-evaluate all NIST based elliptic curve crypto in general."
This discussion has been archived. No new comments can be posted.

Are the NIST Standard Elliptic Curves Back-doored?

Comments Filter:
  • Meta review (Score:5, Interesting)

    by pr0nbot (313417) on Wednesday September 11, 2013 @08:56AM (#44818101)

    As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

    • Re:Meta review (Score:5, Insightful)

      by FriendlyLurker (50431) on Wednesday September 11, 2013 @09:03AM (#44818141)

      it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

      Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

      As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

      Exactly. A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable, and they should be put to task over the issue, removed from decision making posts and in the worst cases, professionally shunned by the community and excluded from all standards processes... the cost of not doing this is a return to business as usual once things settle down.

      • by Taco Cowboy (5327) on Wednesday September 11, 2013 @09:20AM (#44818271) Journal

        ... A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable

        This, and many other expose, can only come to light, because of the courage of a single person - Mr. Edward Snowden.

        If not for Mr. Snowden, would we ever discover the phenomenon of the "magic number" ?

        If not because of Mr. Snowden, we wouldn't even begin to question the integrity of those previously highly regarded "very important people".

        If not for his courage, how much more damage all of us have to suffer ?

        And yet, inside the United States of America, there are still people equating Mr. Snowden as though he is a traitor.

        And even here in Slashdot, we have posters posting very stinging attack on Mr. Snowden.

        Our country is under attack, and the attacker is our own government, but yet, there are still Americans who will do everything to help deepen the tyranny, all in the name of "patriotism".

        I, an American citizen, do owe my deepest thanks to Mr. Edward Snowden, and I do hope that more of my fellow Americans should start acknowledge something very very wrong has happened to America, the country we love so much, and that we should start doing something together, to RIGHT THE WRONGS.

        There have been too many comments that essentially convey the message that we, the People of America, have no power to determine our own future, and that our government, is so overwhelmingly powerful that we are ready to become their slaves, rather than stand up and oppose the tyranny.

        Is America still the land of the free, and the home of the braves ?

        Or has American turned into the land of the enslaved, and the home of the cowards ?

        The choice is on your hand, my fellow Americans.

        Either we start righting the wrongs now, or we will end up handing over to our children a country of tyranny.

        Are we going to let our children suffer because of our cowardice ?

        You are the only one who can answer the question.

        • by j3thr0 (189013) on Wednesday September 11, 2013 @09:31AM (#44818367)
          • by rvw (755107) on Wednesday September 11, 2013 @09:35AM (#44818399)

            So why has nobody fixed this in the past six years? Thanks to Snowden it's back in the spotlight, and now it seems like action is being taken. That's his legacy. I thank him for that.

            • by Anonymous Coward on Wednesday September 11, 2013 @12:37PM (#44820399)

              Before it came to light as a theoretical possibility. People could see that the possibility existed, however accusing the NSA of having used it would be accusing them of deliberately and knowingly weakening the security of systems designed to be used in defence of their country. That is a pretty serious accusation against people who essentially work for the military. Most people's belief in innocent until proven guilty made that a hard case to make.

              Now, thanks to Snowdon, we know they have been weakening system security for their own convenience. Suddenly many people's old viewpoints have become obviously naive.

          • by IamTheRealMike (537420) <mike@plan99.net> on Wednesday September 11, 2013 @09:42AM (#44818461) Homepage

            That story is about Dual_EC_DRBG which was indeed strongly suspected of being an NSA back door back in 2007. Snowden confirmed the suspicion. However this story is not about that algorithm. It's about the SEC random curves that are used for signing and other crypto, not random number generation. There are two different algorithms under discussion here.

          • by gr8_phk (621180) on Wednesday September 11, 2013 @12:43PM (#44820461)
            http://it.slashdot.org/story/07/11/15/184204/new-nsa-approved-encryption-standard-may-contain-backdoor [slashdot.org] I remember at the time it seemed to be confirmed that there IS a backdoor. The question of weather anyone knew the magic numbers to open that door seemed obvious at the time as well - the NSA chose the numbers. It would go against everything they stand for NOT to have the keys.

            Side note: Contrary to what some folks claim, this does not make the system weak against any foreign enemy, criminals, or hackers. It makes it weak only to the NSA so long as no one else discovers the master key. Not that this makes it ok, just not as bad as some claim.
        • Some related reading: "The Responsibility of Intellectuals" [wikipedia.org]
        • by lkcl (517947) <lkcl@lkcl.net> on Wednesday September 11, 2013 @10:17AM (#44818803) Homepage

          if you've seen the film with nicholas cage, it highlighted for me for the very first time that the U.S. Constitution was written by some extremely fore-sighted people. there are specific words in it which not just permit but *OBLIGATE* you - each and every american citizen - to overthrow any government that has become tyrannical or otherwise lost its way.

          given that america has such a significant hold over the rest of the world, *i* as a UK citizen am obligated to point this out to you, because by not doing so it will have an adverse effect (through erosion of sovereign rights of each and every country - erosion initiated by the corrupt U.S. Govt infrastructure) on *my* country to whom *i* hold allegiance.

          so - get to it, americans - get your act together!

        • Elliptic curve cryptography looks great on a machine running HollywoodOS at your local cineplex, but I have yet to see a single convincing argument for using it for real life cryptography beyond the cool factor and a bunch of hand waving. It's weak and suffers from weird factorization and Fourier based cryptanalysis, and it's simply inferior to exponentiation based algorithms such as those using in Diffie-Hellman variants, RSA, DSS, krb5, etc.
        • by alexgieg (948359)

          we should start doing something together, to RIGHT THE WRONGS.

          The problem is that whenever discussions on these topics come about, the proposed "solutions" are always framed within the rules set by the power elites. And the power elites are this because they are masters of this game. In fact, they've mastered it so much that nowadays even violent revolutions are no exceptions, they also fit within the rules, just another subset of the same old game.

          No, the actual solution is to break the rules altogether. Throughout history what managed to alter the rules the most wer

      • it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

        Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

        I think the word "magic" is being used with two different meanings here. One meaning is "arbitrary but consistent": those numbers which must be standardised, such as the SHA seeds used to find these curves. The other meaning is "chosen for completely unknown reasons", which describes these particular seed values. The former is a requirement of most cryptographic standards, but the latter should be avoided. If we need to consistently choose an arbitrary number, let it be 1, or pi, or e. Anything else is susp

        • Re:Meta review (Score:5, Informative)

          by afidel (530433) on Wednesday September 11, 2013 @09:31AM (#44818371)

          Suspicious yes, but not necessarily bad, remember that the NSA also manipulated the s-box values for DES to make them more resistant to differential cryptanalysis, a technique not yet known by the wider community.

          • by AmiMoJo (196126) *

            Unless they chose numbers that they could break, but which other country's agencies who also independently discovered differential analysis might not.

            At this point I think we have to assume anything that the NSA ever did was malicious.

        • Re:Meta review (Score:5, Interesting)

          by postbigbang (761081) on Wednesday September 11, 2013 @10:01AM (#44818625)

          Even when pi or rho or other "random" numbers are used for seeds as "magic" numbers, additional hashing and rehashing is needed to give further difficulty to decryption by those NOT having the key numbers.

          With each new algorithm there is an army chomping at the bit (pardon the pun) to decrypt it, if not for fun or enlightenment, for the profit of the decrypted information value-- if any.

          The problem here is trust. The NSA has blown its trust completely, beyond identifiability. Other initiatives, like SELinux, and security initiatives are now also in question, as well as anything the NSA has touched. They're dirty, and make Americans and the world not trust in their own government. We were supposed to be the good guys, we Yanks, and guess what? It was all a lie. Now the NSA has made an enemy of civil people, and civil people will need to protect themselves extra-governmentally, because the government has proven it's not protecting the interests of its citizenry.

          Sorry to astroturf, but seeds are no longer the problem. The problem is trust.

      • by Anonymous Coward on Wednesday September 11, 2013 @09:24AM (#44818311)

        So I can just replace the NSA's magic-numbers with my own generated from RdRand! *ducks*

        • by AmiMoJo (196126) *

          Seriously though, why don't we do this and also depreciate all suspect PRNGs immediately? Every Linux/BSD distro should be scrambling to do it.

          • You might have seen the story about Linus Torvalds' reaction to calls for this...and he's right. Even if RdRand were entirely predictable, since it's only one input used to seed /dev/random, it could only help.

          • Re:Meta review (Score:4, Interesting)

            by Dan Ost (415913) on Wednesday September 11, 2013 @10:35AM (#44819001)

            Because the designers of the Linux random number generator code designed things such that if RdRand is compromised, it doesn't reduce the strength of the random number generated. However, if it is not compromised, then the randomness is stronger.

            Why should we give up a potential benefit if there is no possible harm?

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

        That's easy to explain. Secret orders from secret courts and secret gag orders with secret threats that you will be "relocated" to a secret prison somewhere unless you comply (and keep your objections secret).

      • by Qzukk (229616)

        how do we explain the common practice of using magic numbers in cryptography standard, then?

        They came from the government, and the government is here to help.

      • by kelemvor4 (1980226) on Wednesday September 11, 2013 @10:17AM (#44818799)

        it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

        Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

        Explainable magic numbers.

    • by mwvdlee (775178)

      Somehow I don't think these weaknesses were introduced through any formal part of the process.

    • by TWiTfan (2887093)

      Don't worry, James Clapper has assured us that there is nothing to see here--and that the NSA's petabytes of storage, tens of billions of dollars of CPU muscle, and 35,000 employees are just being used to spy on a few diplomats in some embassy in some country that we don't like anyway (probably one of them commie ones).

      Now let's all stop worrying about such silly matters and go buy new iPhones!

    • by X.25 (255792)

      As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.


      It is simple. Weakness was 'trust'.

      I did want to believe that NSA wouldn't be such cunts as to completely ruin the internet and open research by abusing the trust people gave them. I gave them my trust as well.

      They basically destroyed the Internet as we knew it, because much of it was based on trust.

      Welcome to collection of commercial networks interconnected for adveritising and content consuming purposes.

      Because that's pretty much what's left of it.

  • by wbr1 (2538558) on Wednesday September 11, 2013 @08:56AM (#44818107)
    Didn't TOR recently upgrade to the 'more secure' elliptic curve crypto?

    This shit will not end until this country is bankrupt completely, or taken over (from within or without).

    • Re:hmmm (Score:5, Insightful)

      by TWiTfan (2887093) on Wednesday September 11, 2013 @09:10AM (#44818189)

      The sad thing is that there is no way to ever put Humpty Dumpty back together again. The U.S. just permanently lost any position as a leading internet innovator. Nothing the U.S. leaders of industry can do now will ever earn back the trust of the rest of the world. No country or company in their right mind will ever trust a U.S. company with sensitive data ever again, and most of the companies that currently do are likely just biding time until they can find a non-U.S. based alternative (or some way to heavily encrypt their data).

      • You will find that the majority of decision makers around the world, whether in buisiness or government, will not care as much about this in the long run as you do.

        In other words, what you say should be true in book form but will not be true in practice. Many people/governments will not even bother looking to see who is behind what, they will be looking to see if it is an industry accepted standard and our personal concerns will rarely change those. If it could, we wouldn't see wireless at half these busine

        • by Boronx (228853)

          Their level of concern is proportional to how close their competitors are to the NSA.

          • by Lumpy (12016)

            Or if the NSA back doors get compromised and are in the wild. Suddenly the Idiot CTO's will take notice.

      • Will take time. I suspect that companies like Cisco will sigh a breath of relief over the next few months when sales don't plummet. What they won't realizes is that the biggest companies that have no doubt issued directives for an end to end anti-US snooping overhaul will take a while to figure out what needs to be replaced and which products are best. So while these audits and re-architectings take place these companies will continue with business as usual. And even when the plan is deployed I doubt 100,00
        • by gstoddart (321705)

          But there is one system that can't be broken and that is one time pads. You have to physically share the pad but that is not so onerous for most companies as they have trusted employees going from branch to branch all the time.

          I just don't see that as being as useful here. Or at least, not solving the general problem in a usable way.

          Take a multi-national with say, 20 offices, which seems small ... don't you need a OTP for each pair of offices? That's going to turn into a rather large number of OTPs, plus

          • by skids (119237)

            OTP is a bit of overkill, using a shared secret to generate intermediate keys buys you a lot of lifetime off a small amount of crypto material.

            • by gstoddart (321705)

              Except, in this case we're talking about how the algorithms themselves might be compromised.

              At which point, is your key exchange and encryption all that secure?

              From the sounds of it, if you can't trust the underlying crypto, you can't trust what you do with it.

        • by dbIII (701233)
          Cisco are quite evil without the help of unaccountable spooks, as seen when they had a Canadian man dragged out of a running court session by armed guards over some sort of copyright disagreement. They have zero respect for the law apart for what they can use as a blunt instrument.
          Their hardware isn't at the leading edge any more either.
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        The sad thing is that there is no way to ever put Humpty Dumpty back together again. The U.S. just permanently lost any position as a leading internet innovator.

        And because having worked for NSA or NSA-linked contractors is seen as a black mark [ycombinator.com] on one's academic career, NSA has also jeopardized its own ability to recruit the next generation of cryptographers.

        There's give and take between the SIGINT and COMSEC missions, and nobody here (or within the IC) is privy to all the information. I fear that by th

      • Re:hmmm (Score:5, Insightful)

        by joe_frisch (1366229) on Wednesday September 11, 2013 @11:28AM (#44819605)

        I think that American users have more to fear from US government spying than foreign users do. Frankly I don't care if the Chinese government has access to all of my personal data - they have very little ability to or interest in interfering with my life. The US government on the other hand is much more likely to act against me in response to my (hypothetical) online mis-behavior. In the same way Chinese citizens have little to fear from the US government but a lot to fear from their own.

        The very important exception to this is when you are dealing with industry trade secrets it is quite possible that foreign governments with links to industry represent a larger threat than your own. Of course while the NSA as an organization almost certainly does not sell trade secrets that they have obtained, it is possible that individuals working for the NSA might do so. Snowdon stole a bunch of information and turned it public, another man in the same situation might well have sold it.

      • No country or company in their right mind will ever trust a U.S. company with sensitive data ever again, and most of the companies that currently do are likely just biding time until they can find a non-U.S. based alternative (or some way to heavily encrypt their data).

        The US government is the most untrustworthy government - except for all the others.


    • Re: (Score:3, Informative)

      by Anonymous Coward

      Yes, but they are using curve25519 which is not one of the curves recommended by NSA or NIST, and which does not have any unexplained magic numbers in its definition.

      • by Anonymous Coward

        Yes, but they also use ECDHE TLS p224 to negotiate TLS secret keys. Isn't that recommended by NIST?

        I'm not an expert, I'm just asking.

  • by pikine (771084) on Wednesday September 11, 2013 @09:09AM (#44818183) Journal
    Color me ignorant, but could someone please explain that elliptic curve is more secure than RSA? Wikipedia even claims that a 128-bit EC key is equivalent to 3072-bit RSA key. Even if it's computation complexity brute forcing discrete log or integer factorization on a non-deterministic turing machine, it should differ by no more than a small constant factor, e.g. 512-bit versus 1024-bit, not by O(sqrt(n)) as Wikipedia claims. Wikipedia is simply quoting NSA [nsa.gov].
    • by Anonymous Coward on Wednesday September 11, 2013 @09:25AM (#44818329)

      The number field sieve relies on the smoothness of the integers modulo n. Using an elliptic curve group rather than the integers modulo n removes this smoothness, so the fastest algorithms available to determine the discrete logarithms are much slower (I believe they're based on Pollard's rho algorithm).

      If that made no sense to you, go brush up on your number theory.

      If you don't want to learn number theory, then accept that you are incapable of having an informed opinion on asymmetrical cryptography standards. (Which is okay, we can't all have an informed opinion on every issue; your brain can only hold so much stuff, right?)

    • by gnasher719 (869701) on Wednesday September 11, 2013 @09:27AM (#44818351)
      A 1024 bit RSA key can trivially be cracked in 2^512 operations. An algorithm that uses 2^341 operations (cube root) and involves no more than high school maths was found about 1975. Then we need to go into deep maths, but there are algorithms that are significantly faster, and there is no good reason to think that more progress couldn't be made. 128 vs 3072 is a bit much, but factoring 1024 bit numbers in 2^128 operations doesn't seem impossible.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      Public key cryptography is based on mathematical operations which are easy to do but difficult to do in reverse. For example, it is easy to multiply two big prime numbers, but it is difficult to factorize the product. There are multiple such easy-difficult pairs. Currently none of the supposedly difficult problems has been proven to be difficult. It is just assumed that they are difficult because nobody has found an easy way, but people are working on making the difficult problem easier to solve, and advanc

    • by Anonymous Coward on Wednesday September 11, 2013 @09:38AM (#44818431)

      The discrete log problem on an elliptic curve is believed to be more computationally intensive than the discrete log problem in a ring of integers. For example, see http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866109-5/S0025-5718-1987-0866109-5.pdf and http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=F220DD223483B78B72C9CE243A62ADD7?doi=

    • The difference boils down to factoring integers versus computing discrete logarithms in elliptic curve groups. The best publicly known integer factorization algorithm is GNFS which runs in roughly O(2^(n^1/3)), whereas the best publicly known ECDLOG algorithm runs in O(2^(n^1/2)). That is why we need RSA keys that are so much larger than ECC keys.

      That, of course, is a theoretical argument. In practice, there are other issues to consider. ECC has a lot of parameters and there are a lot of constraints
    • by lordlod (458156) on Wednesday September 11, 2013 @10:17AM (#44818785)

      The elliptic-curve algorithm is much slower for future quantum based attacks. So it's future-proofing, which is required if you want your secrets to stay secret.

      You could get similar results by adopting a 15000 bit RSA key... but that's getting rather large.

      A paper with some classical and quantum time estimates, Elliptic-Curve vs RSA: http://arxiv.org/pdf/quant-ph/0301141v2.pdf [arxiv.org]

    • An RSA private key is two prime numbers, the public key is the product of those primes. You only have to find the smaller of the two secret primes, so a full brute force search only has to consider numbers that are prime and less than the square root of the public key size. And I believe there are a number of other shortcuts that can be used to reduce the search. Whereas for EC keys (AFAIK) practically all of the key space of 128-bit integers are valid private keys.
  • by Anonymous Coward on Wednesday September 11, 2013 @09:10AM (#44818193)

    Why are people even asking if it's been backdoored? It's already established that no one can explain the constants. It hasn't been shown to not be backdoored. That's enough to prove beyond the shadow of a doubt that it's wrong. Arguing about whether the standard is compromised by mere incompetence or malice, isn't worth spending time on.

    If you don't know something is done right, then that alone is irrefutable proof that it has been done wrong. Even if they're good constants.

    • It hasn't been shown to not be backdoored

      You can't really prove that something doesn't have a back door without putting in enough resources to find all the back doors there could possibly be.. so that doesn't make much sense either.

      • by Entropius (188861)

        If you find out that the locksmith who installed your locks is working for the mob, changing your locks is probably a pretty good idea. Do you know that he's given them a copy of the master key? No, but a locksmith getting paid by the mob usually means only one thing...

    • by Chacharoo (977107) on Wednesday September 11, 2013 @10:17AM (#44818791)
      I wish the parent were modded up. It's the loss of trust that's the bottom line. The constants may well not be back-doored. Or they may be. But once the trust is gone, and there's no verification of how the numbers arose in the first place, it's already too late.
  • " Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation,"
    What confirmation? Really I fear slashdot has become pure click bait.

    • Re:Reference? (Score:5, Informative)

      by IamTheRealMike (537420) <mike@plan99.net> on Wednesday September 11, 2013 @09:20AM (#44818273) Homepage

      Sorry, I could have provided a link for that too. It was in the major Snowden story of last week that revealed the NSA was undermining public standards. The New York Times said this [nytimes.com]:

      Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

      Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

      Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

      “Eventually, N.S.A. became the sole editor,” the memo says.

      Although the NYT didn't explicitly name the bad standard, there's only one that fits the criteria given which is Dual_EC_DRBG.

      • Re:Reference? (Score:5, Informative)

        by afidel (530433) on Wednesday September 11, 2013 @09:27AM (#44818347)

        Bruce Schneier talked about DRBG being a probable backdoor back in 2007 [schneier.com].

      • The problem I have with this article is that it also doesn't say what "appears to confirm" actually means.

        The two quotes would apply as much to the agency pushing a standard through a difficults standards body as it would to hiding a weakness in a standard while doing the same.

        Where do these quotes appear? Where is the surrounding context? If you can say the NSA weakened an encryption standard then why can't you give more context since that's almost certainly not a problem people are going to imminently die

  • by Anonymous Coward on Wednesday September 11, 2013 @09:19AM (#44818265)

    The essence of what the NSA did, was to replace cryptographic security with security through obscurity. People who haven't found the back door yet don't know its there. Classic 'security via obscurity' that is the opposite of crypto.

    Now everyone knows they're there, we need to replace them damn fast. Waiting for the backdoor to be verified is too late, by then bad actors (I mean ones other than General Alexander) could already have found it.

    Replacing these takes time, and so the assumption should be they are vulnerable, because the NSA leaks show the NSA knows they are vulnerable, even if we don't quite know the micro detail of how, yet.

  • by aaaaaaargh! (1150173) on Wednesday September 11, 2013 @09:24AM (#44818313)

    Dear NSA,

    Since I'm getting tired of these stories and it seems kind of unfair that you're getting all the heat recently, here is my suggestion how you could improve your PR image by doing something to our mutual benefit:

    Please use your supercomputers for a few months to aggressively mine Bitcoins and Litecoins. That would make you (virtually) richer than you already are and free me and the rest of the world in future from annoying Bitcoin-mining stories.

    If you like this idea, consider donating some Bitcoins to me. You know where to find me.

    Thank you for your attention and best regards,


    • Re: (Score:3, Funny)

      by Anonymous Coward

      They are ALL open letters to the NSA.

    • by Boronx (228853)

      With their computing power, they could just create their own counterfeit bitcoins that would outvote the rest of market, effectively stealing everyone's coins.

  • The darker crypto history of the 1950-80's would point to long term weak export grade devices.
    Why this generation of software and hardware would be allowed to be any different seems to have escaped a few people.
    First the govs look at the private leadership, the firms, the brands - help stop communists....
    If that fails, go for longterm staff with issues.
    If that fails, set up a gov backed front company or standard out spending and undercutting any emerging private experts.
    Looking back why did so few not
  • Justified paranoia (Score:5, Insightful)

    by return 42 (459012) on Wednesday September 11, 2013 @09:42AM (#44818465)

    I think we are all going to have to be a lot more paranoid from now on about the public comments NIST gets on crypto standards. We can count on NSA to continue to try to mess with the standards, but they won't do it openly. They'll use proxies with no traceable connection to NSA. The crypto experts will have to examine these things a lot more carefully. Hanlon's razor [wikipedia.org] won't cut it anymore.

  • I was going to submit the same story. I'm glad I didn't; that summary is much better than what I had in mind. Nicely done, Unknown Lamer, IamTheRealMike, and any other editors who helped. Thank you for your effort on this important topic!

  • by pla (258480) on Wednesday September 11, 2013 @09:59AM (#44818591) Journal
    I only see people discussing the first-level implications to privacy and security of the NSA having chosen parameters that lead to a somehow-weak curve. Except - That doesn't take any special NSA magic, they just cheated up front.

    Such discussion completely overlooks the much bigger problem here, however - The NSA chose parameters that give a weaker curve. Parameters generated as the output of hashing them with SHA1.

    The ability to choose parameters strongly suggests that the NSA has a way to produce input texts that yield a desired SHA1 hash. That takes special NSA magic, and should really count as the FP story here, not the far less impressive trick of stacking the deck in their favor.
    • by skids (119237)

      SHA1 has been deprecated (mainly as a precaution, but with evidence that attacks were starting to gain a small foothold) since 2005 (by NIST itself even) in favor of the SHA2-240/256/384/512 suite. The question really is why did the selection of SHA1 over a SHA2 variant (I assume in 2007 since that is when the first draft of what became RFC 5639 was published) not raise red flags, in addition to the from-the-sleeve seeds?

  • We need community and built and vetted algorithms, easy and in-built encryption that doesn't rely on a "trusted" third party infrastructure, e-mail encryption that just works, zrtp for all voice communications on by default, and a genuinely locked down android system with firewalling.

    There are a lot of Google services we rely on that can be replaced with decentralized community replacements. Clearly, Google is working for the enemy. Clearly, Facebook is working for the enemy. Here we can look to TOR and Bit
  • by mrflash818 (226638) on Wednesday September 11, 2013 @01:04PM (#44820691) Homepage Journal

    There may be a solution to the NSA problem:

    Make a new fully open process, open source encryption system, fully peer-reviewed, global internet participation possible, global peer review possible.

    Use the development of the Linux kernel as a model. Use the global participation of Debian as a model.

    Perhaps, like kernel.org, there can be FOE.org (Fully Open Encryption dot org) created.

    Then that FOE system and software can be collaborated on via git, the developer community, and the security community. ...just my two cents.

"Ada is the work of an architect, not a computer scientist." - Jean Icbiah, inventor of Ada, weenie