<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 20, 2014 at 3:15 PM, Jonathan Hunt <span dir="ltr"><<a href="mailto:j@me.net.nz" target="_blank">j@me.net.nz</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Mon, Jan 20, 2014 at 11:39 AM, Jerry Leichter <<a href="mailto:leichter@lrw.com">leichter@lrw.com</a>> wrote:<br>
> On Jan 20, 2014, at 12:49 PM, John Kelsey <<a href="mailto:crypto.jmk@gmail.com">crypto.jmk@gmail.com</a>> wrote:<br>
</div><div class="im">> This is one reason I find all the whining about the NSA/RSA business a bit of revisionist history. You can't look at what RSA did in the light of what we know today. You have to look at it based on what was known or reasonably strongly suspected at the time. Certainly at the time DUAL EC DRBG was added to the NIST standards, and RSA added it to BSAFE, NSA was accepted in the role of "helper". The demonstration that it *could* have a trap door didn't show it *did* have a trap door - and after all NSA was fulfilling its role of helping to improve the security of American communications, no? (Well, that *was and is* one of its legally-defined roles, and that was the one we all saw, repeatedly, in public.)<br>
<br>
</div>Here is the presentation from 2007<br>
<a href="http://rump2007.cr.yp.to/15-shumow.pdf" target="_blank">http://rump2007.cr.yp.to/15-shumow.pdf</a><br>
demonstrating that when the constants are chosen they are able to<br>
break DUAL EC. Note, not speculating, but demonstrating a working<br>
attack (using their own chosen constants). "In every experiment 32<br>
bytes of output was sufficient to uniquely identify the internal state<br>
of the PRNG."<br>
<br>
So the only unknown after 2007 was, does someone have the secrets from<br>
the NIST specified constants? This is MUCH worse than some theoretical<br>
weakness that may or may not turn out to be important. This is a<br>
practical break.<br>
<br>
No competent crypto company could be recommending DUAL EC after 2007.<br>
No speculation about whether they should or shouldn't have trusted NSA<br>
is needed. After 2007, DUAL EC was a known badly broken PRNG,<br>
demonstrated a public presentation for respected crytographers. To<br>
continue to leave it as the default for the next 5 years is a total<br>
failure at their core business.<br></blockquote><div><br></div><div>They were a little subtler.</div><div><br></div><div>The NIST standard permits the use of user defined curves. They didn't trust the Fort Meade folk either. The scheme is secure if you choose your own curves but most people don't.</div>
<div><br></div><div><br></div><div>In fact the use of a deterministic RNG with that type of trapdoor is arguably a best practice. It provides a way to audit the operation of a manufactured device.</div><div><br></div><div>
The behavior of the device is transparent and deterministic if the backdoor constants are known and pseudo random and non predictable otherwise.</div><div><br></div><div>The device itself has no way to tell if it is being fed trapdoor constants or not and thus no way to tell if is being audited or not.</div>
<div><br></div></div><div><br></div>-- <br>Website: <a href="http://hallambaker.com/">http://hallambaker.com/</a><br>
</div></div>