Forgot your password?
typodupeerror
Encryption

Dual_EC_DRBG Backdoor: a Proof of Concept 201

Posted by Soulskill
from the this-is-how-we-do-it dept.
New submitter Reliable Windmill sends this followup to the report that RSA took money from the NSA to use backdoored tech for random number generation in encryption software. From the article: "Dual_EC_DRBG is an pseudo-random number generator promoted by NIST in NIST SP 800-90A and created by NSA. This algorithm is problematic because it has been made mandatory by the FIPS norm (and should be implemented in every FIPS approved software) and some vendors even promoted this algorithm as first source of randomness in their applications. If you still believe Dual_EC_DRBG was not backdoored on purpose, please keep reading. ... It is quite obvious in light of the recent revelations from Snowden that this weakness was introduced by purpose by the NSA. It is very elegant and leaks its complete internal state in only 32 bytes of output, which is very impressive knowing it takes 32 bytes of input as a seed. It is obviously complete madness to use the reference implementation from NIST"
This discussion has been archived. No new comments can be posted.

Dual_EC_DRBG Backdoor: a Proof of Concept

Comments Filter:
  • Bah (Score:3, Interesting)

    by colinrichardday (768814) <colin.day.6@hotmail.com> on Wednesday January 01, 2014 @03:17PM (#45838767)

    Who can you trust?

  • by Anonymous Coward on Wednesday January 01, 2014 @03:32PM (#45838891)

    xorshift64 is a simple random number generator with a period of 2**64 - 1 (you cannot use 0).
    The 64 bit random number that it produces is the same as its complete state.

  • by gman003 (1693318) on Wednesday January 01, 2014 @04:01PM (#45839131)

    Actually read TFA, enough flew over my head that I can't personally verify the math, but if true, well holy fucking shit. Once someone brute-forces the backdoor "key" used by the NSA, it looks like the entire system is cracked. Even if it takes a while to brute-force, once you have that you can open any encryption using that curve.

    Given that cracking this open would be so useful to both other monitoring agencies, and to criminal hackers, it's sure to happen eventually, if it hasn't already. I'm sure China could throw one of their supercomputers at it.

    I'd be curious to know just how hard it would be to brute-force the backdoor key itself. There didn't seem to be anything in TFA about that, and I can't figure out the math myself.

  • Re: OpenBSD (Score:5, Interesting)

    by Richard_at_work (517087) <richardprice&gmail,com> on Wednesday January 01, 2014 @04:06PM (#45839179)

    No, because OpenBSD doesn't just use this PRNG as the source of randomness for its encryption implementations, it has used other sources mixed in for a long time. There was a recent story about FreeBSD switching to other sources and De Raadt being all cocky about other people finally doing what OpenBSD has done for years.

  • Re:Amish (Score:5, Interesting)

    by cold fjord (826450) on Wednesday January 01, 2014 @05:33PM (#45839751)

    shun anything electronic, or electric for that matter. Substinance farm and read dead-tree books for leasure.

    Spooked by NSA, Russia reverts to paper documents [usatoday.com]
    Kremlin returns to typewriters to avoid computer leaks [telegraph.co.uk]

    Only one of the many "benefits" from the leaks, not to mention:

    Snowden revelations lead Russia to push for more spying on its own people [pri.org]

  • by cold fjord (826450) on Wednesday January 01, 2014 @06:28PM (#45840111)

    It short, your reading as a lawyer doesn't produce anything helpful in furthering the claim that they deliberately weakened RSA.

    The didn't make a "non-denial." It appears to be quite explicit. I suggest following the link and reading the original.

  • by cold fjord (826450) on Wednesday January 01, 2014 @07:12PM (#45840563)

    You exaggerate things, which is consistent with much of the discussion on this. I suggest reading the whole article at the link.

    How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA [wired.com]

    Jon Callas, the CTO of Silent Circle, whose company offers encrypted phone communication, delivered a different rump session talk at the Crypto conference in 2007 and saw the presentation by Shumow. He says he wasn’t alarmed by it at the time and still has doubts that what was exposed was actually a backdoor, in part because the algorithm is so badly done.

    “If [NSA] spent $250 million weakening the standard and this is the best that they could do, then we have nothing to fear from them,” he says. “Because this was really ham-fisted. When you put on your conspiratorial hat about what the NSA would be doing, you would expect something more devious, Machiavellian and this thing is just laughably bad. This is Boris and Natasha sort of stuff.”

    Indeed, the Microsoft presenters themselves — who declined to comment for this article — didn’t press the backdoor theory in their talk. They didn’t mention NSA at all, and went out of their way to avoid accusing NIST of anything. “WE ARE NOT SAYING: NIST intentionally put a back door in this PRNG,” read the last slide of their deck.

    The Microsoft manager who spoke with WIRED on condition of anonymity thinks the provocative title of the 2007 presentation overstates the issue with the algorithm and is being misinterpreted — that perhaps reporters at the Times read something in a classified document showing that the NSA worked on the algorithm and pushed it through the standards process, and quickly took it as proof that the title of the 2007 talk had been right to call the weakness in the standard and algorithm a backdoor.

  • Re:Bah (Score:4, Interesting)

    by 1s44c (552956) on Thursday January 02, 2014 @02:47AM (#45843497)

    Theo de Raadt.

    OpenBSD is trustworthy but you have to be suspicious of the BIOS it runs under and every network it connects to.

"Silent gratitude isn't very much use to anyone." -- G. B. Stearn

Working...