[Cryptography] [cryptography] SSH uses secp256/384r1 which has the same parameters as what's in SEC2 which are the same the parameters as specified in SP800-90 for Dual EC DRBG!

Perry E. Metzger perry at piermont.com
Mon Sep 9 21:04:33 EDT 2013

On Tue, 10 Sep 2013 00:25:20 +0100 Peter Fairbrother
<zenadsl6186 at zen.co.uk> wrote:
> On 09/09/13 23:03, Perry E. Metzger wrote:
> >> On Mon, 9 Sep 2013, Daniel wrote:
> >> [...] They are widely used curves and thus a good way to reduce
> >> conspiracy theories that they were chosen in some malicious way
> >> to subvert DRBG.
> >
> > Er, don't we currently have documents from the New York Times and
> > the Guardian that say that in fact they *did* subvert them?
> >
> > Yes, a week ago this was paranoia, but now we have confirmation,
> > so it is no longer paranoia.
> I did not see that, and as far as I can tell there is no actual 
> confirmation.


   Cryptographers have long suspected that the agency planted
   vulnerabilities in a standard adopted in 2006 by the National
   Institute of Standards and Technology and later by the
   International Organization for Standardization, which has 163
   countries as members.

   Classified N.S.A. memos appear to confirm that the fatal weakness,
   discovered by two Microsoft cryptographers in 2007, was engineered
   by the agency. The N.S.A. wrote the standard and aggressively
   pushed it on the international group, privately calling the effort
   “a challenge in finesse.”


This has generally been accepted to only match the NIST ECC RNG
standard, i.e. Dual_EC_DRBG, with the critique in question being
"On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng"
which may be found here: http://rump2007.cr.yp.to/15-shumow.pdf

Do you have an alternative theory?

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list