[Cryptography] Dual_EC_DRBG backdoor: a proof of concept
ianG
iang at iang.org
Mon Jan 13 04:35:08 EST 2014
(apologies, late reply, had to think about it!)
On 3/01/14 22:45 PM, John Kelsey wrote:
> On Jan 3, 2014, at 12:39 AM, ianG <iang at iang.org> wrote:
>
>> * They know more about RNGs than we do -- it was them that pushed NIST in the direction of a deterministic output whitener/expander, the DRBG. Until this came along, I don't think it was an understood concept, the open world was still working on the premise that we didn't want determinism.
>
> No, Niels and Bruce and I were doing this in Yarrow-160 long before X9.82, and it was also how the RSAREF, ANSI X9.17 and DSA prngs worked even earlier. I published a paper with Bruce, Niels, and Chris showing how this kind of PRNG can be attacked long before X9.82 had started, too. This was one of about three models for doing random number generation floating around--alongside pool type designs like dev/random and hardware RNG designs.
OK, I stand corrected! I'll have to see if I can find that reference to
NSA saying using a non-deterministic RNG is a state of sin.
>> * They have 70 years of practice at sabotage. It's their job. They have the advantage when it comes to thinking like an attacker.
>
> Right, but the apparent sabotage of dual ec drbg wasn't all that subtle--it involved getting on the standards editing committee, and being trusted by the other members of that committee. In a world where lots of people (including me) thought they were working to make public crypto stronger, not weaker.
If you are going to sabotage a standard, then it pretty much involves
being ... at the meetings, and wielding power to direct efforts. This
might not involve much pushing, or it might involve a lot of pushing.
For example, the GSM committees that designed their A3, A5 algorithms
were pushed, but only gently. Spooks were at some meetings, but they
said little. As they were all telcos at heart, and as their threat
model was paparazzi snooping and billing theft, and as they were
Europeans and traditionally were in bed with the agencies, they really
didn't care that much. Only a small amount of pushing was required to
set the key at 40 bits, the famous 8 * 0 bytes plus the
checksum-of-deception copied from DES.
An open group preparing standards for open industry has much broader
threat models. GSM had theirs quite clear and narrow, vertically
integrated, but when you are building a general tool, you have to more
or less consider every threat ... or you have to come up with a stylised
perfect design model (like SSL did with their perfect secure connection).
Then, influencing such a group as a NIST committee requires a lot less
subtlety and a lot more deception. And taking much bigger risks.
> Putting a backdoor in a standard they worked on involved spending all the goodwill and trust they had built up over the last decade or more, with consequences that will go a decade or two into the future.
Right. You might ask why they took that risk. What we do know is that
they take these risks, in general, they have the mindset, it is here, in
black and white:
http://financialcryptography.com/mt/archives/001455.html
http://financialcryptography.com/mt/archives/001458.html
Why did they take that particular risk? (assuming they did?) knowing
or should-knowing that the consequences would be disastrous? For that I
guess we have to look at the history of the last decade.
One open question is whether they took that risk particularly with
NIST/DUAL_EC, as asked by Jon and you and many others.
That's a judgement call, we'll 'know for certain' in 50 years when they
declassify. Until then ... what matters is that they are taking that
risk, in general, everywhere they can.
So we have to act "as if" the NIST standards are under attack.
This is a useful thing, as it also has consequences. It protects the
NSA from blundering again -- if they know we all act "as if" the NSA is
going to pervert the NIST standards, then they are much less likely to
do it. OTOH, if we act "as if" this is unlikely, silly, implausible,
unsubtle or whatever, then the prize is sitting there .. they are more
likely to give it a go.
>> * They are known to attack the RNG. They attacked Crypto AG's RNG, as Dave pointed out. Spooks attack RNGs, nobody else does.
>
> That sounds silly to me. Attackers use what they can find.
Yes, interesting counterpoint: the Android/Java RNG hack to steal bitcoins.
iang
More information about the cryptography
mailing list