[Cryptography] Dual_EC_DRBG backdoor: a proof of concept
ianG
iang at iang.org
Fri Jan 3 02:39:48 EST 2014
On 3/01/14 00:30 AM, Jon Callas wrote:
Very nice description of Blum-Blum-Shub, elided, thanks! Just on the
general question of whether we can ascribe error or malicious intent...
> The general flaws have been there forever, and in general we still don't see them. ...
* Interference was written up in their goals. In the large. It said,
we are going to take over the crypto industry.
* They know more about RNGs than we do -- it was them that pushed NIST
in the direction of a deterministic output whitener/expander, the DRBG.
Until this came along, I don't think it was an understood concept, the
open world was still working on the premise that we didn't want determinism.
Open question -- when did we the open guys figure it out?
* They have 70 years of practice at sabotage. It's their job. They
have the advantage when it comes to thinking like an attacker.
* They are known to attack the RNG. They attacked Crypto AG's RNG, as
Dave pointed out. Spooks attack RNGs, nobody else does. So if they
didn't know about how to attack the BBS design, it's more than
incompetence, it's gross negligence.
* In complete contrast, we just don't get that practice. I do not know
of any real attack where someone has spiked the RNG in our
open/commercial domain [0]. We think about defence. And we typically
aim at crims and academic breachers, not TLAs, until recently. Crooks
think about server hacks and social engineering.
So having something placed right in front of us ... might work. It's be
worth a try! We had to have it pointed out...
* There are insider rumours of what happened at RSA. This has the
halmarks of an 'approach'.
* Everything they do is secret, disinformed, and deniable. They don't
lay tracks. They don't make it easy for us. And they fill the airwaves
with excuses and pointers to other theories. They have their shills.
* And, as you have pointed out: They had $250m to do these attacks.
Per year. If they did this accidentally, I think you guys want your
money back, and get them out into productive jobs.
For my money, unless we arrest the perps and they confess, this is as
good as it gets.
iang
[0] if memory servers me right, Netscape had a bad RNG, and Dave & Ian
attacked it. But that wasn't deliberate on Netscape's part. The
acccidentally-on-purpose breach was in their key length generation.
More information about the cryptography
mailing list