[Cryptography] Dual_EC_DRBG backdoor: a proof of concept

[ianG]

On 3/01/14 10:45 AM, Krisztián Pintér wrote:
>
> John Kelsey (at Friday, January 3, 2014, 2:31:00 AM):
>> If we replaced dual ec drbg's output function by taking the parity
>> of the output point's scalar value, it looks to me like we'd have a
>> secure drbg despite the potentially evil choice of P and Q, with
>> whatever good theoretical properties came from dual ec drbg.
>
> dual ec is easy to fix, but what is the point? it is even easier not
> to use it, and use fortuna instead, which is better in every way
> possible. people only use dual ec if they have to, to be compliant
> with whatever standards. but then they can't change it, not even the
> extraction part (heck, they can't even fix the mistakes in the
> documentation, see the case of openssl).
>


This is a seriously good point.  Defaults are meant to be changed, and 
are offered as a sort of security feature.  Alternatives are offered as 
if this makes sense in a security context [1].

But can defaults be changed?  The barrier to this is often high, and too 
high to be realistic or give any security benefit.

Two questions, possibly as research topics:

      1. How often are security defaults changed?  In any given 
environment such as OpenSSL, etc.

      2.  How hard is it to change the defaults?  What is the mental 
energy, skill & time required?  How high is this barrier?

The result of defaults seems to be that they are poorly chosen [2], end 
up being the only choice for 99%, and open up an easy attack, DUAL_EC [3].


iang



[1] http://financialcryptography.com/mt/archives/001461.html
[2] http://financialcryptography.com/mt/archives/001450.html
[3] http://financialcryptography.com/mt/archives/001446.html