[Cryptography] Dual_EC_DRBG backdoor: a proof of concept
ianG
iang at iang.org
Fri Jan 3 03:25:30 EST 2014
On 3/01/14 10:45 AM, Krisztián Pintér wrote:
>
> John Kelsey (at Friday, January 3, 2014, 2:31:00 AM):
>> If we replaced dual ec drbg's output function by taking the parity
>> of the output point's scalar value, it looks to me like we'd have a
>> secure drbg despite the potentially evil choice of P and Q, with
>> whatever good theoretical properties came from dual ec drbg.
>
> dual ec is easy to fix, but what is the point? it is even easier not
> to use it, and use fortuna instead, which is better in every way
> possible. people only use dual ec if they have to, to be compliant
> with whatever standards. but then they can't change it, not even the
> extraction part (heck, they can't even fix the mistakes in the
> documentation, see the case of openssl).
>
This is a seriously good point. Defaults are meant to be changed, and
are offered as a sort of security feature. Alternatives are offered as
if this makes sense in a security context [1].
But can defaults be changed? The barrier to this is often high, and too
high to be realistic or give any security benefit.
Two questions, possibly as research topics:
1. How often are security defaults changed? In any given
environment such as OpenSSL, etc.
2. How hard is it to change the defaults? What is the mental
energy, skill & time required? How high is this barrier?
The result of defaults seems to be that they are poorly chosen [2], end
up being the only choice for 99%, and open up an easy attack, DUAL_EC [3].
iang
[1] http://financialcryptography.com/mt/archives/001461.html
[2] http://financialcryptography.com/mt/archives/001450.html
[3] http://financialcryptography.com/mt/archives/001446.html
More information about the cryptography
mailing list