[Cryptography] Dual_EC_DRBG backdoor: a proof of concept

Fri Jan 3 02:39:48 EST 2014

On 3/01/14 00:30 AM, Jon Callas wrote:

Very nice description of Blum-Blum-Shub, elided, thanks!  Just on the 
general question of whether we can ascribe error or malicious intent...

> The general flaws have been there forever, and in general we still don't see them. ...

* Interference was written up in their goals.  In the large.  It said, 
we are going to take over the crypto industry.

* They know more about RNGs than we do -- it was them that pushed NIST 
in the direction of a deterministic output whitener/expander, the DRBG. 
  Until this came along, I don't think it was an understood concept, the 
open world was still working on the premise that we didn't want determinism.

Open question -- when did we the open guys figure it out?

* They have 70 years of practice at sabotage.  It's their job.  They 
have the advantage when it comes to thinking like an attacker.

* They are known to attack the RNG.  They attacked Crypto AG's RNG, as 
Dave pointed out.  Spooks attack RNGs, nobody else does.  So if they 
didn't know about how to attack the BBS design, it's more than 
incompetence, it's gross negligence.

* In complete contrast, we just don't get that practice.  I do not know 
of any real attack where someone has spiked the RNG in our 
open/commercial domain [0].  We think about defence.  And we typically 
aim at crims and academic breachers, not TLAs, until recently.  Crooks 
think about server hacks and social engineering.

So having something placed right in front of us ... might work.  It's be 
worth a try!  We had to have it pointed out...

* There are insider rumours of what happened at RSA.  This has the 
halmarks of an 'approach'.

* Everything they do is secret, disinformed, and deniable.  They don't 
lay tracks.  They don't make it easy for us.  And they fill the airwaves 
with excuses and pointers to other theories.  They have their shills.

* And, as you have pointed out:  They had $250m to do these attacks. 
Per year.  If they did this accidentally, I think you guys want your 
money back, and get them out into productive jobs.

For my money, unless we arrest the perps and they confess, this is as 
good as it gets.

iang

[0] if memory servers me right, Netscape had a bad RNG, and Dave & Ian 
attacked it.  But that wasn't deliberate on Netscape's part.  The 
acccidentally-on-purpose breach was in their key length generation.