[Cryptography] Fw: how could ECC params be subverted & other evidence

Perry E. Metzger perry at piermont.com
Tue Sep 10 17:45:40 EDT 2013

On Tue, 10 Sep 2013 16:45:23 -0400 John Kelsey <crypto.jmk at gmail.com>
> [DBRG] seemed like a really weird place to put a backdoor, because
> it was insanely slow, and it seemed unlikely to get any significant
> use.

As an aside, this is just the instance we know about, partially
because they screwed up, partially because the New York Times saw fit
to let us have confirmation of what was suspected in public.

I presume they've been more careful in other places, and that this is
not their only "work". I presume that they knew this would not be
used much and it was only a target of opportunity -- and that they've
gotten much more interesting "fixes" in elsewhere, perhaps even in
other parts of the NIST RNG standards (though it would *seem* much
harder to gimmick those).

> And I, at least, had internalized the idea that we weren't
> going to get intentional bad advice or sabotage from another part
> of the federal government.

You're not the only person feeling betrayed. For many years, the NSA
people appeared on our doorsteps offering help in many, many
contexts -- IETF for example.

The awful part is, many of them may have been completely sincere.
The IA side of the house *does*, in fact, depend on COTS hardware to
secure most of the Federal Government. They *do* have an interest in
keeping US commercial targets safe from attack.

However, even if many of the NSA people who participated in standards
work were sincere, their good will has been ruined by other NSA
people who used the sincere ones as cover for their
machinations. We now have to be suspicious of all of them, probably
permanently, and that's bad for everyone.

I imagine that there are some people inside the NSA now yelling at
others about how they've made it ever so much harder to fix the
security of most of the Federal Government, which ineed depends on
COTS hardware. Now even if they come to us with really good advice,
we have no idea if we should take it because we can't know they're
not lying to us.

None the less, it is done, and those of us on the outside can't
depend on NSA participants in standards work any longer. A set
of short sighted, foolish decisions have created tragedy for all.

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list