[Cryptography] [cryptography] SSH uses secp256/384r1 which has the same parameters as what's in SEC2 which are the same the parameters as specified in SP800-90 for Dual EC DRBG!
Kristian Gjøsteen
kristian.gjosteen at math.ntnu.no
Mon Sep 9 06:50:29 EDT 2013
9. sep. 2013 kl. 10:45 skrev Eugen Leitl <eugen at leitl.org>:
> Forwarded without permission, hence anonymized:
> "
> Hey, I had a look at SEC2 and the TLS/SSH RFCs. SSH uses secp256/384r1
> which has the same parameters as what's in SEC2 which are the same the
> parameters as specified in SP800-90 for Dual EC DRBG!
> TLS specifies you can use those two curves as well...
> Surely that's not coincidence..
> "
The curves are standard NIST curves. They were the curves you used until about now. That they are the same everywhere is no surprise.
The "problem" with Dual-EC-DRBG was that a point that should have been generated verifiably at random was not generated verifiably at random. There's no reason to believe it wasn't, but it was a stupid mistake that should not have been made, and that has now been blown out of all proportion. Users, if there are any, should generate their own points verifiably at random.
If you reuse one or more points from Dual-EC-DRBG as generators in other standards, it is of no matter. Even if the points are carefully chosen, they cannot compromise those other standards. (DLOG is essentially independent of the generator.)
There's no reason to be paranoid, just because the NSA is out to get you.
--
Kristian Gjøsteen
More information about the cryptography
mailing list