[Cryptography] how could ECC params be subverted & other evidence

Perry E. Metzger perry at piermont.com
Mon Sep 9 18:56:57 EDT 2013 

On Tue, 10 Sep 2013 00:23:51 +0200 Adam Back <adam at cypherspace.org>
wrote:
> On Mon, Sep 09, 2013 at 06:03:14PM -0400, Perry E. Metzger wrote:
> >On Mon, 9 Sep 2013 14:07:58 +0300 Alexander Klimov wrote:
> >> No. They are widely used curves and thus a good way to reduce
> >> conspiracy theories that they were chosen in some malicious way
> >> to subvert DRBG.
> >
> >Er, don't we currently have documents from the New York Times and
> >the Guardian that say that in fact they *did* subvert them?
> 
> From what I could see it was more like people are taking more
> seriously the criticism that they could have subverted the curves
> because the published parameter generation seeds are big hex
> strings (rather than the typical literaly quote or digits of pi),
> and therefore there is no way to verify the parameters were chosen
> fairly.

The Times reported that a standard from about the right time period
that had been criticized in a 2007 paper by some researchers at
Microsoft (who reported a backdoor) had been subverted, and there had
been much internal congratulation in a memorandum. The only such
standard was apparently the one in question.

This is no longer speculation, we now know that they seem to have
done this.

This was only an example, the context in the Guardian and the Times
made it clear others are probably lurking.

As I've said before, a week ago I would have called the entire idea
paranoia. Now, the evidence has changed. "When the facts change, I
change my mind."

> Relatedly it seems to me that backdooring is a tricky business,
> especially if you care about plausible deniability, and about
> actual security in the face of blackhats or other state actors who
> may rediscover the sabotaged parameters, design, code, master keys
> in the binary etc and exploit it rather than publish it and have it
> fixed by the vendor.

I think you're hardly the only person to note that this is a very
dangerous game they've played, in some cases literally endangering
people's lives.

> Presumably the reverse engineering deities are warming up their
> softICE to pore over the windows and other OS crypto code.

And, I would imagine, people are probably ripping apart popular
hardware crypto implementations, decapping the chips, and
photographing them as we speak. The memoranda spoke of hardware
crypto systems being subverted.

Perry
-- 
Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list