[Cryptography] RSA is dead.

[Jonathan Hunt]

On Mon, Jan 20, 2014 at 11:39 AM, Jerry Leichter <leichter at lrw.com> wrote:
> On Jan 20, 2014, at 12:49 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
> This is one reason I find all the whining about the NSA/RSA business a bit of revisionist history.  You can't look at what RSA did in the light of what we know today.  You have to look at it based on what was known or reasonably strongly suspected at the time.  Certainly at the time DUAL EC DRBG was added to the NIST standards, and RSA added it to BSAFE, NSA was accepted in the role of "helper".  The demonstration that it *could* have a trap door didn't show it *did* have a trap door - and after all NSA was fulfilling its role of helping to improve the security of American communications, no?  (Well, that *was and is*  one of its legally-defined roles, and that was the one we all saw, repeatedly, in public.)

Here is the presentation from 2007
http://rump2007.cr.yp.to/15-shumow.pdf
demonstrating that when the constants are chosen they are able to
break DUAL EC. Note, not speculating, but demonstrating a working
attack (using their own chosen constants). "In every experiment 32
bytes of output was sufficient to uniquely identify the internal state
of the PRNG."

So the only unknown after 2007 was, does someone have the secrets from
the NIST specified constants? This is MUCH worse than some theoretical
weakness that may or may not turn out to be important. This is a
practical break.

No competent crypto company could be recommending DUAL EC after 2007.
No speculation about whether they should or shouldn't have trusted NSA
is needed. After 2007, DUAL EC was a known badly broken PRNG,
demonstrated a public presentation for respected crytographers. To
continue to leave it as the default for the next 5 years is a total
failure at their core business.

Jonny