Dual_EC_DRBG Backdoor: a Proof of Concept 201
New submitter Reliable Windmill sends this followup to the report that RSA took money from the NSA to use backdoored tech for random number generation in encryption software. From the article:
"Dual_EC_DRBG is an pseudo-random number generator promoted by NIST in NIST SP 800-90A and created by NSA. This algorithm is problematic because it has been made mandatory by the FIPS norm (and should be implemented in every FIPS approved software) and some vendors even promoted this algorithm as first source of randomness in their applications. If you still believe Dual_EC_DRBG was not backdoored on purpose, please keep reading. ... It is quite obvious in light of the recent revelations from Snowden that this weakness was introduced by purpose by the NSA. It is very elegant and leaks its complete internal state in only 32 bytes of output, which is very impressive knowing it takes 32 bytes of input as a seed. It is obviously complete madness to use the reference implementation from NIST"
Bah (Score:3, Interesting)
Who can you trust?
Amish (Score:5, Funny)
shun anything electronic, or electric for that matter. Substinance farm and read dead-tree books for leasure.
Re: Amish (Score:2)
Re: (Score:2, Funny)
Trees are the new Red-black [wikipedia.org]!
FTFY!
Re: (Score:2)
shun anything electronic, or electric for that matter. Substinance farm and read dead-tree books for leasure.
Only read illuminated books though, not printed books. Otherwise, you're no better than the Luddites (who, while known for destroying printing presses and automated looms, weren't actually against the technology, just against it only being in the hands of the rich and powerful, to the detriment of the working class).
Re:Amish (Score:5, Interesting)
shun anything electronic, or electric for that matter. Substinance farm and read dead-tree books for leasure.
Spooked by NSA, Russia reverts to paper documents [usatoday.com]
Kremlin returns to typewriters to avoid computer leaks [telegraph.co.uk]
Only one of the many "benefits" from the leaks, not to mention:
Snowden revelations lead Russia to push for more spying on its own people [pri.org]
Re: (Score:2)
Re: (Score:3, Funny)
Ghostbusters!
Re: (Score:3)
Re:Bah (Score:4, Interesting)
Theo de Raadt.
OpenBSD is trustworthy but you have to be suspicious of the BIOS it runs under and every network it connects to.
Re: (Score:2)
What about the network over which you download the file that contains those hashes?
You could buy a CD but then you would say what about the postal system. I can't argue against you because you are right. But you have to make an assumption of trustworthiness somewhere.
Re: (Score:2)
Trust is a weakness for the world of spooks, not everyone lives in their world, but everyone seems to be a target for their affections at any cost...
Never trust an NSA douchebag (Score:3)
And really, I'd use Blowfish ahead of any NSA encraption algorithm or LOL AES. If history has a sense of irony, China will pwn the entire US IT infrastructure using NSA backdoors.
Re: (Score:2)
FWIW, Bruce Schneier thought AES was fine to use, last I read him comment on it. There are weaknesses, but he didn't think they were of practical importance, and AES has been attacked hard by a large number of very intelligent people.
Re: (Score:3)
Your argument makes no sense. You say that Snowden wouldn't have access, yet he clearly had access to hundreds of thousands of TOP SECRET classified documents. And suspicions were raised around Dual EC_DRBG was raised by Bruce Schneier and other cryptographers about 5 years ago, long before Snowden leaked a byte.
The backdoor remains an undemonstrated weakness, as nobody's actually published the key secret numbers that prove it can be exploited. But I am given to understand the math that points to the hol
Re: (Score:2)
Not so. As long as backdoor itself is tightly in the hands of NSA only, as it apparently still is, this is a massive advantage for US security interests.
Re: (Score:3)
Only we can't know that. It's entirely possible that all this and more had been stolen from the NSA countless times before Snowden made their crappy internal security an undeniable fact.
If the Russians, Chinese, or who knows who else already got knowledge on how to exploit this weakness they would be quietly using it and we would never know.
Re: (Score:2)
Possible? Yes. Likely? No.
Security is a process. Security subversion is also a process. All of them include risks. The point of both is to ensure that risk is acceptable in comparison to the action and its reward.
Re: (Score:3, Insightful)
Re: (Score:2, Informative)
That "stolen credentials" story seems to be widely circulated but not much anchored in evidence. In fact, probably was originated from some NSA insider to discredit Snowden. A more detailed report to what happened comes from an article from Ars Technica. A very good read, by the way:
The National Security Agency’s oversharing problem
http://arstechnica.com/information-technology/2013/12/the-national-security-agencys-oversharing-problem/ [arstechnica.com]
Re: (Score:2)
But the NSA left masses of top secret stuff lying around where Snowden could find it. You are wrong in saying he 'stumbled' across it though, he acted unethically and broke serious laws to serve what he saw as a greater good.
Re: (Score:3)
I don't trust the article for one. I'm as paranoid as everyone else around here, but I don't think the NSA cooperated with RSA to put in a backdoor here, no matter how much Saint Snowden claims. If they NSA had such a backdoor it would be an extremely well kept secret and not left around where any low level junior contractor like Snowden would stumble across it.
Go back and re-read how Snowden got to the position he did.
The "Darnbob" version for you folks that won't bother to learn anything: Snowden was a network admin / security guy. Therefore had access to lots of stuff as his job was about the security of those things not about those things.
Re: (Score:2)
ANYONE who has ever been a network/sysadmin type can tell you that that position gets you the keys to the kingdom on day 1.
In the first week of my very first sysadmin job with a large gov't agency, in the days where I essentially knew NOTHING, had me sitting in the director's chair, after hours, working on his PC, with his passwords all hand-written on a post-it (by the director himself) in front of me.
Another view on teh RSA / NSA thing... (Score:5, Informative)
Reuters reported on Saturday that the NSA had secretly paid RSA Data Security $10 million to make a certain flawed algorithm the default in RSA’s BSAFE crypto toolkit, which many companies relied on. RSA issued a vehement but artfully worded quasi-denial. Let’s look at the story, and RSA’s denial....
Re:Another view on teh RSA / NSA thing... (Score:5, Insightful)
The crypto email list [metzdowd.com] discussed this at length. People chimed in who remember when this happened. Here's my take away: EMC had just bought RSA, and was looking for profits, and many of the best and brightest at RSA had left. The NSA offered $10M to make their RNG the default in BSAFE, and no one at RSA could offer EMC management any compelling argument as to why they should not take the money. RSA issued a press release about it. There was no secrecy. Competitors thought it was foolish to take money from the NSA, and at the same time wondered how they could get onto this gravy train.
This is a case of typical incompetence. The response RSA published is slimy lawyer crapola. The lawyer sucks as bad as the incompetent EMC management. The good news is that there was no secret deal that RSA agreed to with the NSA to compromise all our security. The NSA did their job well. RSA didn't. I'll just point out that only crypto ignoramuses would accept closed-source un-auditable stuff from anyone when it comes to encryption, IMO. Money corrupts this industry.
Re:Another view on teh RSA / NSA thing... (Score:5, Insightful)
You need to read it like a lawyer. Take the first claim for example
> Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.
Note what is not denied:
* It is not denied that the contract existed
* It is not denied that they set Dual_EC_DRBG as default as a result of the contract
* It is not denied that the contract was secret (they do later deny that their relationship with NSA in general was not secret, which is correct, but does not preclude one contract from being secret)
They only thing they deny is that they knew that Dual_EC_DRBG contained a backdoor when they made the secret contract to set it as the default.
The same with their other non-denials.
Re: (Score:2)
RSA is very likely bound by a Non Disclosure Agreement. I would not expect them to EVER admit to this, unless or until a judge ordered them to do so, or ordered the NDA null and void.
Re:Another view on teh RSA / NSA thing... (Score:4, Insightful)
They didn't make a "non-denial." It appears to be quite explicit.
The only thing explicit is that RSA denied a bunch of highly specific scenarios. Let me highlight one word:
Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.. We categorically deny this allegation.
Now change that one word to from "known" to "unknown". Did they deny that?
Plausible deniability. [wikipedia.org] The only truth with a hole in it!
Re: (Score:2)
Re: (Score:2)
That's very different. "Fried chicken recipe" isn't of interest to the asker, but the RSA deliberately orchestrating the insertion of an unknown flaw certainly is. All your parent is saying is that they have denied a very specific allegation, and perhaps that allegation is over-specific and got some non-essential details wrong, allowing them to misleadingly deny it as a whole.
Re: (Score:2)
Any time you make a denial more specific than necessary to get the point across, it raises suspicion. I don't think you need to change the word "known" to "unknown" to make a point, the mere fact that "known" is in there is odd. Same with "secret" contract. Nobody cares if the contract was secret, or if there even was a contract vs a high level understanding or a backroom verbal agreement.
That said, the bit you quoted at the end ("we also categorically state that we have never entered into any contract or e
Re: (Score:2)
Many news articles in mainstream media have pointed out that it is a non-denial. If RSA Security was innocent, it would be the easy to just issue a new press release saying unambiguously that no contract existed. Why hasn't RSA Security done that?
Re: (Score:2)
Many news articles in mainstream media have pointed out that it is a non-denial. If RSA Security was innocent, it would be the easy to just issue a new press release saying unambiguously that no contract existed. Why hasn't RSA Security done that?
It doesn't have to have been done as part of a conventional contract. They would deny the contract exists and not that they did the thing in question.
RSA can't be trusted unless they use absolutely clear phrasing, and even they they could be lying under orders from the NSA.
Re: (Score:2)
The question isn't whether they had a contract, but what the contract did.
Holy freaking guacamole. WHAT CONTRACT? The question is, why did RSA do what they absolutely incontrovertibly did? And here is what they did: they included an NSA-backdoored crypto RNG in their BSAFE product and made it the default RNG. In other news, RSA pocketed $10M of NSA's money.
Claiming that if they don't deny there was a contract [that] makes them "guilty" is playing games.
If it's a game, it sure is a fun one. Those pinpoint denials leave them plenty of wiggle room to say "We didn't know. We didn't know because when we asked, the NSA said 'You don't want to know' ". Or, "It wasn't a 'secret contr
Re: (Score:2)
When they "categorically deny weakining any RSA products" without all the caveats attached, it will be a denial. Until then, it's a denial of something that they weren't accused of, and not a word was said about what they were actually accused of.
We have plenty of examples of this kind of corporate speak in PR management, ranging from BP's fairly recent oil leak issue which was full of them to pretty much any other major industrial incident. We have people who spin this stuff for a living and make more doin
Re: (Score:2)
After you remove the PR crap, the sentence becomes:
"We didn't intend on weakening RSA's products".
It's not a denial of the backdoor. It's also not a denial of making a contract with NSA to backdoor the algorithm. It's merely a denial of intention on higher levels.
Classic plausible deniability, denial that means nothing if definite proof of this leaks next. They can simply claim they didn't know.
Re: (Score:2)
I think at this point the burden is on you to read: "we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."
That seems pretty definitive to me.
Ah. The old "we didn't MEAN to do it" defense.
Works for any four year old.
Next up, "my baby din do nuffin!" defense. (Despite overwhelming evidence indicating they DID do it.)
Re: (Score:2)
If I hold a gun to your head and tell you to give me your wallet or I blow your brains out and you give me said wallet.. Well that's not a contract or a project.
If the NSA walk into RSA headquarters and tell the boss he and all his senior management are going down for a long time for tax evasion unless they use a NSA created random number generator.. Well that's not a contact or project either.
What if you do believe? (Score:1)
So just like xorshift64 then (Score:2, Interesting)
xorshift64 is a simple random number generator with a period of 2**64 - 1 (you cannot use 0).
The 64 bit random number that it produces is the same as its complete state.
Re: (Score:2)
I think the backdoored Dual_EC_DRBG still as forward security [wikipedia.org]. xorshift64 doesn't have forward security, if nothing else then because the period is small enough that you can brute force search it.
Hmmm (Score:1)
Meaning what? That encryption was good enough to keep likes of the NSA out even with their resources, and so they compromised it?
Or something even more insidious.
Re: (Score:2)
or they just wanted to make it easier/faster to break.
Re: (Score:2)
With certain file encryption algorithms, they asked that the salt and/or hashed password were tacked on at the end of the file. That sped up decryption enough that their resources could decrypt the file, but not so much that anyone else could figure out it was compromised.
Re: (Score:2)
"""
[0047] Escrow keys are known to have advantages in some contexts. They can provide a backup functionality. If a cryptographic key is lost, then data encrypted under that key is also lost. However, encryption keys are generally the output of random number generators. Therefore, if the ECRNG is used to generate the encryption key K, then it may be possible that the escrow key e can be used to recover the encryption key K. Escrow keys can provide other functionality, s
Re: Hmmm (Score:5, Insightful)
Business Intelligence, for the purpose of corporate espionage. You also have to take into consideration that the NSA does answer to someone, and that someone was corporate sponsored before they were even put on a ballot to be voted on. They were put up to this, and continuance of the program likely has little to do with terrorism as the program has proven fruitless even after intelligence information was given about events prior to them being given/developing these tools but they in fact failed to respond accordingly to prevent them, this includes 9/11.
Good article (Score:5, Informative)
The link above [0xbadc0de.be] is a very good introductory article on EC cryptography. If you know a little math but have no background in elliptic curves, this is a good introduction. Well worth reading.
Clearly explained at an introductory level, with Wikipedia links for the assumed terms.
Topical, singular (ie - it's the first one currently, a news "scoop" if you like), technical, and important.
Lots to like here - Slashdot needs more articles like this.
Re: (Score:2)
Re:Good article (Score:4, Informative)
Just to add to this, if you want a good primer on Elliptic Curve Cryptography in general (and not just this exploit), this article from Cloudflare is pretty great even if you don't have a mathematical background. It also explains RSA quite well, so it's a good general crypto primer:
http://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography [cloudflare.com]
Re:Good article (Score:5, Funny)
Too bad I've already given up on Slashdot and left. Really, I'm not here. You don't see me.
Weak are your Jedi powers, my son.
Re: (Score:2)
Hey.....did you guys hear something? I thought I heard a voice say something, but I couldn't quite hear what it was....
OpenBSD (Score:2)
Does this mean that OpenBSD has suffered a 3rd remote hole in its default installation? (http://it.slashdot.org/story/07/03/15/0045207/remote-exploit-discovered-for-openbsd)
(I don't understand the implications of Aris' blog above, so I'm hoping someone can explain it to me & other OpenBSD users.)
Re: OpenBSD (Score:5, Interesting)
No, because OpenBSD doesn't just use this PRNG as the source of randomness for its encryption implementations, it has used other sources mixed in for a long time. There was a recent story about FreeBSD switching to other sources and De Raadt being all cocky about other people finally doing what OpenBSD has done for years.
Re: (Score:3)
that particular bug you link was fixed a week before it was found to be security vulnerability (at the time was known to cause crash)
http://marc.info/?l=openbsd-misc&m=117404837006368&w=2 [marc.info]
FIPS (Score:5, Informative)
FIPS is a large group of standards - literally, the Federal Information Processing Standards. Any requirement is not "mandated by FIPS", it is mandated by one particular standard - which may or may not apply to any contract.
FIPS 140-2 Annex C, for one, lists quite a few acceptable random number generators; for that standard, I see no requirement for Dual EC DRBG.
Re:FIPS (Score:5, Informative)
There's still no requirement for Dual EC DRBG (so the summary is misleading) but Annex C is also somewhat misleading.
FIPS 140-2 is modified by SP 800-131A which describes algorithm transitions (see FIPS 140-2 Implementation Guidance G.14) and therefore any new FIPS 140-2 module submitted after Dec 31, 2013 can only use an RNG from the SP 800-90A standard; not any of the other RNGs listed in Annex C.
However SP 800-90A specifies four different DRBG algorithms, only one of them being the suspect Dual EC DRBG. So even today new modules aren't forced to use it. (And if fact I believe NIST posted a warning on their 140-2 website strongly recommending that people not use the Dual EC DRBG)
How long until someone cracks the backdoor key? (Score:5, Interesting)
Actually read TFA, enough flew over my head that I can't personally verify the math, but if true, well holy fucking shit. Once someone brute-forces the backdoor "key" used by the NSA, it looks like the entire system is cracked. Even if it takes a while to brute-force, once you have that you can open any encryption using that curve.
Given that cracking this open would be so useful to both other monitoring agencies, and to criminal hackers, it's sure to happen eventually, if it hasn't already. I'm sure China could throw one of their supercomputers at it.
I'd be curious to know just how hard it would be to brute-force the backdoor key itself. There didn't seem to be anything in TFA about that, and I can't figure out the math myself.
Re:How long until someone cracks the backdoor key? (Score:5, Informative)
Actually read TFA, enough flew over my head that I can't personally verify the math, but if true, well holy fucking shit. Once someone brute-forces the backdoor "key" used by the NSA, it looks like the entire system is cracked. Even if it takes a while to brute-force, once you have that you can open any encryption using that curve.
It's quite possible that this cannot be brute forced. The only way is to create the back door at the time that the random number generator is created. In the end, that is the _first_ requirement: That an arbitrary attacker, given a complete description of the algorithm, cannot brute force it.
Re:How long until someone cracks the backdoor key? (Score:4, Informative)
It's quite possible that this cannot be brute forced. The only way is to create the back door at the time that the random number generator is created. In the end, that is the _first_ requirement: That an arbitrary attacker, given a complete description of the algorithm, cannot brute force it.
From what I understand the whole point of algorithms like this is that brute force is the only option (without knowing the key). If there was some other mathematical way of determining the key the hackers would use that; so the goal is to create an algorithm where the secret key has to either be known, or brute forced. The only way to find the secret key is to literally try every possible number and hope that the computer stumbles across the right one eventually.
Re: (Score:2)
According to Dan Shumow and Niels Ferguson's 2007 presentation [cr.yp.to], finding the private key e corresponds to solving one instance of the elliptic curve discrete log problem [washington.edu], which is believed to be a very hard problem indeed, and probably not even doable for a any current supercomputer.
Re: (Score:2)
If its not doable how then did NSA supposed to have done it? Its not like they came up with the key at random then invented this algorithm to fit it, the fact that there is a backdoor key is a quirk of the mathematics.
Re:How long until someone cracks the backdoor key? (Score:4, Informative)
From my understanding, the ability to have *a* backdoor is a quirk of the math, but the "key" depends on the parameters of the elliptic curve. Those parameters for this specific implementation were written by the NSA (under the guise of their mandate to secure American communications) and standardized by NIST. TFA had a full proof of concept using parameters he had generated, which worked.
Re: (Score:3)
If you can choose P and e, then you can easily calculate Q=eP. It it only if you start with P and Q given that you can't find e.
Re:How long until someone cracks the backdoor key? (Score:4, Informative)
If its not doable how then did NSA supposed to have done it? Its not like they came up with the key at random then invented this algorithm to fit it, the fact that there is a backdoor key is a quirk of the mathematics.
It's basically public-key crypto: you can create a keypair and publish the public key - that's essentially what this is, where the point Q in the Dual_CD_DRBG spec is really just a public key. There's a private key as well - it's far to expensive to compute it from the public key (basically 2^128 time), but they didn't have to do that since they generated the private key first.
And it's really not a "quirk of the mathematics" - it's really pretty straightforward if you understand elliptic curves, and it has been well-known how to do this since 2007 or earlier. I think a lot of academic cryptographers didn't really worry about it when Shumow and Ferguson pointed out the potential backdoor, because it's really a pretty crappy technique anyway - academic cryptographers, who quite frankly often don't know what is used in practice, assumed no one would use this. Then it turns out that RSA used it as the default tehnique in BSAFE. Oops.
Re:How long until someone cracks the backdoor key? (Score:5, Informative)
(Hi. I'm the one Dan was replying to, from another thread. Proof on request, but /. mangles PGP signatures, amongst many other things.)
No, it'd take a Rho attack of 2^127.8 complexity to break that key. Not happening. Way more likely is that someone simply steals the key from the NSA - a daunting prospect - but not particularly useful if all you wanted to know is that there is a backdoor, not to actually use it. There is, and people have been pointing that out since 2006.
I was... surprised at Dan's response. I did not actually expect a response to noting that the backdoor in Dual_EC_DRBG was, and I'll quote myself here, "a backdoor that couldn't have been more obvious if you'd erected a flashing neon sign and driven a mounted parade with a marching band through it", because I didn't think anybody was in disagreement about that. Apparently I was wrong.
My own reply to him, pointing out that even if you mind your Ps & Qs (in the way that he patented, mind you), Dual_EC_DRBG still sucks: http://www.ietf.org/mail-archive/web/cfrg/current/msg03689.html [ietf.org]
I don't have a reply to that yet. In all fairness, it has been the Christmas and New Year period, and it's been kind of a busy one this year, and there's some procedural things to sort out that are probably going to take some time (and input from the crowd here would probably only make things worse, right now). Meanwhile, we have recommendations to make about TLS - in short, use it, but for God's sake, turn off RC4 because it's shit and probably worse than the BEAST attack people tended to use it to avoid - and some new things to roll out with that before the big work on TLS 1.3; with encrypted ClientHellos and pinned certificates to stop random CAs impersonating sites high on the wishlist.
An update, by the way: after re-opening the comments period, having been openly informed of the Snowden disclosures (albeit years after cryptographers warned them), NIST have agreed to remove Dual_EC_DRBG from SP 800-90A. So that's something, at least.
Re: (Score:2)
I suggest anyone interested in this controversy read the following:
How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA [wired.com]
Although this is in regard to GCHQ, it probably applies to NSA as well: ‘We Can Trust GCHQ On Encryption’ [techweekeurope.co.uk]
This is pretty freaking huge, if true (Score:2, Insightful)
Please, people who understand EC properly, verify & reproduce this ASAP. If so this is yet another thing (one the BIGGEST things) the NSA has denied about the content of the Snowden leaks.
Plus RSA needs to really step up and be honest about just what occurred inside their walls wrt. FIPS and this algorithm.
At this point, I think the longstanding rule that 'only a fool writes his own crypto' is getting weaker.. I would amend it to "only a fool writes his own crypto, or uses ones supplied by anyone withou
More interesting facts (Score:5, Informative)
I have been adding various facts to the Wikipedia article on Dual_EC_DRBG [wikipedia.org]. A good deal of the most interesting points have not been reported in mainstream media.
* The ANSI group which standardize Dual_EC_DRBG were aware of the potential for a backdoor.
* Three RSA Security employees were listed as being in that ANSI group, making RSA Security's claim innocence claim shaky, since it is less likely that RSA Security didn't know about the back door when NSA paid them $10 million to use Dual_EC_DRBG as default.
* Two Certicom members of the ANSI group wrote a patent which describes the backdoor in detail, and two ways to prevent it.
* Somehow the ways to prevent the backdoor only make it into the standard as non-default options.
* Somehow the people on the ANSI group forget to publicize the potential for a backdoor. Especially Daniel brown of Certicom (co-author of the patent), who also wrote an attempt at a mathematical security reduction for Dual_EC_DRBG, but somehow forgets to explicitly mention the backdoor. The conclusion in Brown's paper also seems very determined to hype Dual_EC_DRBG, whereas the other papers about Dual_EC_DRBG seem excited to hype the errors they find.
* The potential backdoor only becomes public knowledge in 2007.
* Daniel Brown writes in December 2013 [ietf.org] that "I'm not sure if this was obvious." and "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se.".
Certicom is the main inventor and patent-holder for elliptic curve cryptography. The two Certicom employees failing to warn or prevent the backdoor they clearly know was possible doesn't reflect well on Certicom.
Re:More interesting facts (Score:5, Informative)
> In short, as is the case with many conspiracy theories all you have is a collection of things that are suggestive, not definitive.
When you design a standard, one of the design criteria is that it does not allow for even a potential a backdoor. See fx https://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number [wikipedia.org] . It is most definitive that Dual_EC_DRBG should never have been approved given the knowledge available at the time of how to prevent any possible backdoor.
Re: (Score:2)
So an anonymous manager - manager! - thinks it isn't a big deal. They couldn't find an actual cryptographer to quote? While all the cryptographers do think it is a big deal. This is not an issue where there is real discussion. It is not me who are exaggerating, it is you who are understating the issue.
Re: (Score:2)
The DES case is well understood
The DES case is well understood NOW. DES was at the subject of conspiracy theories, suspicion, and fear for nearly 20 years, just in the same way that this controversy is likely to go.
The ironic thing about the DES controversy is that it was secretly stronger than many people knew, not weaker, and there are people that adopted other far weaker encryption schemes out of fear and suspicion rather than use DES. The secret techniques that DES was hardened against made cracking many of those other encryption m
The NSA is fucking stupid! (Score:5, Insightful)
So, they introduced a backdoor into software that can be/is used to secure US nuclear secrets, in the hopes only they would be able to take advantage of it? This is just another variant of "security through obscurity." Really, really fucking stupid!
Re: (Score:2)
I don't think they're that stupid. Which is why I doubt the Snowden revelations about this, either it's misinterpreted or misrepresented.
Re: (Score:2)
Re: (Score:3)
So, only the NSA, and maybe people having managed to steal e from the NSA would be able to take advantage of this back door.
random(Dual_EC_DRBG()) (Score:2)
I'll stick with twofish,or AES256 then. (Score:2)
I'll stick with twofish,or AES256 for my openssl and gpg stuff.
not RNGs (Score:2)
Good point.
not RNGs (Score:2)
True, good point.
I'll try to keep using OpenSSL then ; ) (Score:2)
I'll try to keep using GNUPG (gpg) then ; ) (Score:2)
http://www.gnupg.org/documentation/manuals/gcrypt/Random_002dNumber-Subsyst [gnupg.org]
Time to get distributed.net on the job (Score:2)
If they aren't already, now would be the time to start putting the masses to work hunting down the NSA's special key. This is a nasty one, and the sooner we can use it to bludgeon the guilty parties the better.
Re: (Score:2, Informative)
Re: (Score:1)
Re: (Score:2)
They are us. Some really bad people are slightly inconvenienced as a side-effect, but are by no means stopped (See: Tsarnaev brothers, zero evidence of attacks stopped by the NSA).
Re: (Score:2)
The NSA is so busy building a haystack in which to search for needles, it misses the 100 ton girders with a Vegas scale neon sign pointing right at them.
Re: (Score:2)
Philip Zimmerman, PGP. Older versions 6.5.8 might be okay, something open source. However there is all this worthless security infrastructure in place already that has been rooted. There needs to be compensation for fraud.
Re:YES! (Score:5, Insightful)
For a start, we could at this point reasonably demand that everyone who has accepted a salary from NSA be branded on the forehead with a scarlet letter, so that anyone with any sense would know not to hire them for any position involving trust. Let them work as street sweepers. As persons who sort garbage into different recycling streams. We know these persons cannot be trusted. Identify them, remove them from their current jobs, and place their names on a very public list of persons who cannot be entrusted with anything, in any endeavor.
There needs to be some amount of personal responsibility in the NSA, yet with the obvious exception of Snowden, there is no evidence of any such thing. One good place to start is to hold those who were involved in creating this monster accountable for ethical / moral turpitude.
Re: (Score:2)
Re: (Score:2)
That's a fallacy. I choose what I share on social media. Granted, I can't control what other people share about me, but that was just as true before social media; we just used to call it gossiping. That's why you have to be careful who you trust with things that you consider secret—keep your secrets secret and all that.
Re: (Score:2)
Correct. But you do not choose what is shared about you on social media. Which is what actually matters.
Re:YES! (Score:5, Informative)
That's a fallacy. I choose what I share on social media.
No you don't. Social media sites like Google+ and Facebook vacuum up information about you from everywhere, even things you never intended to be made public like links you've clicked on.
Indeed -- you choose what you share on social media (to a degree), but most people aren't aware of the value of what they're sharing in the first place, and they have almost no control over what is shared about them. This is not the same as gossiping, as gossip involves the game of telephone -- there's no documented evidence that it's true. But when a date-stamped geolocated image of you in a nightclub shows up on your friend's blog with facial recognition indicating that it's you in the picture, and you called in sick that day, that's not gossip; that's evidence -- especially since that photo can then be flagged up for people who are following YOU (including co-workers and possibly your boss), even though you had nothing to do with the publication of the photo.
And this is before we get into whether your privacy settings have been changed by the service host since the last time you reviewed them, and whether others who don't need to honor those settings have found anything interesting in "your" files hosted in an international cloud server system.
If you choose to share nothing on social media, then at least none of the links can be verified, and it's closer to gossip. As soon as you start to share anything though, the metadata is enough of a net to snag all the bits of data about you that are published by others.
Re: YES! (Score:1)
Re:is RSA soon an open vault? (Score:5, Informative)
It seems to me that anything we thought were encrypted and could be, and was, considered secure in that embodiment, is soon subject to revelation. I'm no expert, but I'm losing faith in these algorithms. Please tell me it's going to be okay. PS: if you are NSA, I don't need your reassurances.
Don't worry. It was known for quite a while that this algorithm _might_ have been backdoored. There are basically three possibilities:
1. The NSA didn't know that it could be backdoored when they created it. So there is no backdoor, and the NSA is kicking themselves for that missed opportunity, or for the embarrassment. 2. They knew about it, but intentionally didn't create a backdoor. 3. They knew about it and created a backdoor.
From looking at the algorithm, we cannot possibly know which one is the case. Obviously it would be totally insane to use this algorithm. But that _was_ known for quite some time.
Re:is RSA soon an open vault? (Score:5, Insightful)
But looking at it from a motivation standpoint, only option 3 would be worth paying $10 million for.
Re: (Score:2)
1. The NSA didn't know that it could be backdoored when they created it. So there is no backdoor, and the NSA is kicking themselves for that missed opportunity, or for the embarrassment. 2. They knew about it, but intentionally didn't create a backdoor. 3. They knew about it and created a backdoor.
From looking at the algorithm, we cannot possibly know which one is the case. Obviously it would be totally insane to use this algorithm. But that _was_ known for quite some time.
Except for the 10mil paid to RSA in secret and 2005 patent describing use of this algo for _this exact purpose_.
Re: (Score:3)
You moron. My PGP encrypted email passes the Diehard tests for randomness -- Doesn't mean it's actually random bits.
Re: The maths is easy for a fifth grader (Score:2, Informative)
Incorrect.
Randomness will assume a gaussian curve distribution, given enought samples, over sufficient time.
A generator algorithm that produces a uniform flat distribution would expose predictable patterns in output that could be exploited.
Re: (Score:3)
And when you're done in 50000 years with our current supercomputers, let us know the results. The number of possible combinations is a bit over 170141183460469231731687303715884105728. Good luck with your bubble-sort.
Re: (Score:2)
No, not really - and as I was writing it I thought "I bet someone's gonna bring Moore's Law into this and then I'm going to have to explain". So I'll explain - the 50,000 years was a figure thrown out there. Really, as long at time taken > life expectancy, OP won't be able to find a result. The actual time to perform that many encryption cycles would be in the millions of years. If Moore's Law progresses over time that would certainly be brought down, but not within OPs lifetime. Then you've got to compa