[Cryptography] [cryptography] SSH uses secp256/384r1 which has the same parameters as what's in SEC2 which are the same the parameters as specified in SP800-90 for Dual EC DRBG!
Perry E. Metzger
perry at piermont.com
Mon Sep 9 21:04:33 EDT 2013
On Tue, 10 Sep 2013 00:25:20 +0100 Peter Fairbrother
<zenadsl6186 at zen.co.uk> wrote:
> On 09/09/13 23:03, Perry E. Metzger wrote:
>
> >> On Mon, 9 Sep 2013, Daniel wrote:
> >> [...] They are widely used curves and thus a good way to reduce
> >> conspiracy theories that they were chosen in some malicious way
> >> to subvert DRBG.
> >
> > Er, don't we currently have documents from the New York Times and
> > the Guardian that say that in fact they *did* subvert them?
> >
> > Yes, a week ago this was paranoia, but now we have confirmation,
> > so it is no longer paranoia.
>
> I did not see that, and as far as I can tell there is no actual
> confirmation.
Quoting:
Cryptographers have long suspected that the agency planted
vulnerabilities in a standard adopted in 2006 by the National
Institute of Standards and Technology and later by the
International Organization for Standardization, which has 163
countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness,
discovered by two Microsoft cryptographers in 2007, was engineered
by the agency. The N.S.A. wrote the standard and aggressively
pushed it on the international group, privately calling the effort
“a challenge in finesse.”
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all
This has generally been accepted to only match the NIST ECC RNG
standard, i.e. Dual_EC_DRBG, with the critique in question being
"On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng"
which may be found here: http://rump2007.cr.yp.to/15-shumow.pdf
Do you have an alternative theory?
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list