[Cryptography] Dual_EC_DRBG backdoor: a proof of concept
Bart Preneel
bart.preneel at esat.kuleuven.be
Fri Jan 3 11:11:19 EST 2014
On Fri, 3 Jan 2014, ianG wrote:
> On 3/01/14 10:45 AM, Krisztián Pintér wrote:
>>
>> John Kelsey (at Friday, January 3, 2014, 2:31:00 AM):
>>> If we replaced dual ec drbg's output function by taking the parity
>>> of the output point's scalar value, it looks to me like we'd have a
>>> secure drbg despite the potentially evil choice of P and Q, with
>>> whatever good theoretical properties came from dual ec drbg.
>>
>> dual ec is easy to fix, but what is the point? it is even easier not
>> to use it, and use fortuna instead, which is better in every way
>> possible. people only use dual ec if they have to, to be compliant
>> with whatever standards. but then they can't change it, not even the
>> extraction part (heck, they can't even fix the mistakes in the
>> documentation, see the case of openssl).
>>
>
>
> This is a seriously good point. Defaults are meant to be changed, and are
> offered as a sort of security feature. Alternatives are offered as if this
> makes sense in a security context [1].
>
> But can defaults be changed? The barrier to this is often high, and too high
> to be realistic or give any security benefit.
>
> Two questions, possibly as research topics:
>
> 1. How often are security defaults changed? In any given environment
> such as OpenSSL, etc.
>
> 2. How hard is it to change the defaults? What is the mental energy,
> skill & time required? How high is this barrier?
>
> The result of defaults seems to be that they are poorly chosen [2], end up
> being the only choice for 99%, and open up an easy attack, DUAL_EC [3].
>
>
> iang
>
> [1] http://financialcryptography.com/mt/archives/001461.html
> [2] http://financialcryptography.com/mt/archives/001450.html
> [3] http://financialcryptography.com/mt/archives/001446.html
One minor advantage of random number generators is that interoperability
requirements are not so stringent - unless you want to interoperate
with the cryptanalysis tools of three-letter agencies :-)
So switching defaults may be easier.
By the way: while we have failed badly at (secure) algoritm
agility, this does not imply imho that it is impossible to make
(secure) algorithm agility work.
-Bart
More information about the cryptography
mailing list