[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Tim Dierks tim at dierks.org
Fri Sep 6 13:09:19 EDT 2013


On Fri, Sep 6, 2013 at 3:03 AM, Kristian Gjøsteen <
kristian.gjosteen at math.ntnu.no> wrote:

>         Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
>
> I mean, who on earth would be daft enough to use the slowest possible
> DRBG? If this is the best NSA can do, they are over-hyped.
>

It's implemented in Windows and in a number of other libraries*; I can't
find any documentation on which points these implementations use. But I
agree that there's little technical reason to use it—however, who is to
know that a vendor couldn't be influenced to choose it?

In pursuing the list NIST validations, there's aa number of cases where
Dual_EC_DRBG is the only listed mode, but all of them (with one exception)
are issued to companies where they have other validations, generally on
similar products, so it just looks like they got multiple validations for
different modes. The one exception is Lancope, validation #288, which
validated their use of Dual_EC_DRBG, but no other modes. So it looks like
there's at least one implementation at use in the wild.

 - Tim

* - The implementors that NIST
lists<http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html>
are:
RSA, Certicom, Cisco, Juniper, BlackBerry, OpenPeak, OpenSSL, Microsoft,
Mocana, ARX, Cummings Engineering Consultants, Catbird, Thales e-Security,
SafeLogic, Panzura, SafeNet, Kony, Riverbed, and Symantec. (I excluded
validations where the implementation clearly appears to be licensed, but
people can name it anything they want, and some of the above are probably
just OpenSSL forks, etc.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130906/3b735083/attachment.html>


More information about the cryptography mailing list