[Cryptography] Opening Discussion: Speculation on "BULLRUN"
Perry E. Metzger
perry at piermont.com
Thu Sep 5 19:35:37 EDT 2013
On Thu, 5 Sep 2013 19:14:53 -0400 John Kelsey <crypto.jmk at gmail.com>
wrote:
> First, I don't think it has anything to do with Dual EC DRGB. Who
> uses it?
It did *seem* to match the particular part of the story about a
subverted standard that was complained about by Microsoft
researchers. I would not claim that it is the most important part of
the story.
> My impression is that most of the encryption that fits what's in
> the article is TLS/SSL.
Yes, and if they have a real hole there they're exploiting, that is
quite disturbing. If they're merely using a hodge-podge of techniques
to get keys, it is less worrying.
> Where do the world's crypto random numbers come from? My guess is
> some version of the Windows crypto api and /dev/random
> or /dev/urandom account for most of them.
I'm starting to think that I'd probably rather type in the results of
a few dozen die rolls every month in to my critical servers and let
AES or something similar in counter mode do the rest.
A d20 has a bit more than 4 bits of entropy. I can get 256 bits with
64 die rolls, or, if I have eight dice, 16 rolls of the group. If I
mistype when entering the info, no harm is caused. The generator can
be easily tested for correct behavior if it is simply a block cipher.
> What does most of the world's TLS? OpenSSL and a few other
> libraries, is my guess. But someone must have good data about this.
>
> My broader question is, how the hell did a sysadmin in Hawaii get
> hold of something that had to be super secret? He must have been
> stealing files from some very high ranking people.
I believe there was already discussion in the press on that latter
point, but I think it is less germane to our discussion here and
would prefer that we avoid speculating on things that are only of
human/gossip interest.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list