[Cryptography] how could ECC params be subverted & other evidence
Perry E. Metzger
perry at piermont.com
Mon Sep 9 18:56:57 EDT 2013
On Tue, 10 Sep 2013 00:23:51 +0200 Adam Back <adam at cypherspace.org>
> On Mon, Sep 09, 2013 at 06:03:14PM -0400, Perry E. Metzger wrote:
> >On Mon, 9 Sep 2013 14:07:58 +0300 Alexander Klimov wrote:
> >> No. They are widely used curves and thus a good way to reduce
> >> conspiracy theories that they were chosen in some malicious way
> >> to subvert DRBG.
> >Er, don't we currently have documents from the New York Times and
> >the Guardian that say that in fact they *did* subvert them?
> From what I could see it was more like people are taking more
> seriously the criticism that they could have subverted the curves
> because the published parameter generation seeds are big hex
> strings (rather than the typical literaly quote or digits of pi),
> and therefore there is no way to verify the parameters were chosen
The Times reported that a standard from about the right time period
that had been criticized in a 2007 paper by some researchers at
Microsoft (who reported a backdoor) had been subverted, and there had
been much internal congratulation in a memorandum. The only such
standard was apparently the one in question.
This is no longer speculation, we now know that they seem to have
This was only an example, the context in the Guardian and the Times
made it clear others are probably lurking.
As I've said before, a week ago I would have called the entire idea
paranoia. Now, the evidence has changed. "When the facts change, I
change my mind."
> Relatedly it seems to me that backdooring is a tricky business,
> especially if you care about plausible deniability, and about
> actual security in the face of blackhats or other state actors who
> may rediscover the sabotaged parameters, design, code, master keys
> in the binary etc and exploit it rather than publish it and have it
> fixed by the vendor.
I think you're hardly the only person to note that this is a very
dangerous game they've played, in some cases literally endangering
> Presumably the reverse engineering deities are warming up their
> softICE to pore over the windows and other OS crypto code.
And, I would imagine, people are probably ripping apart popular
hardware crypto implementations, decapping the chips, and
photographing them as we speak. The memoranda spoke of hardware
crypto systems being subverted.
Perry E. Metzger perry at piermont.com
More information about the cryptography