[Cryptography] RSA is dead.

Phillip Hallam-Baker hallam at gmail.com
Mon Jan 20 17:10:46 EST 2014 

On Mon, Jan 20, 2014 at 3:15 PM, Jonathan Hunt <j at me.net.nz> wrote:

> On Mon, Jan 20, 2014 at 11:39 AM, Jerry Leichter <leichter at lrw.com> wrote:
> > On Jan 20, 2014, at 12:49 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
> > This is one reason I find all the whining about the NSA/RSA business a
> bit of revisionist history.  You can't look at what RSA did in the light of
> what we know today.  You have to look at it based on what was known or
> reasonably strongly suspected at the time.  Certainly at the time DUAL EC
> DRBG was added to the NIST standards, and RSA added it to BSAFE, NSA was
> accepted in the role of "helper".  The demonstration that it *could* have a
> trap door didn't show it *did* have a trap door - and after all NSA was
> fulfilling its role of helping to improve the security of American
> communications, no?  (Well, that *was and is*  one of its legally-defined
> roles, and that was the one we all saw, repeatedly, in public.)
>
> Here is the presentation from 2007
> http://rump2007.cr.yp.to/15-shumow.pdf
> demonstrating that when the constants are chosen they are able to
> break DUAL EC. Note, not speculating, but demonstrating a working
> attack (using their own chosen constants). "In every experiment 32
> bytes of output was sufficient to uniquely identify the internal state
> of the PRNG."
>
> So the only unknown after 2007 was, does someone have the secrets from
> the NIST specified constants? This is MUCH worse than some theoretical
> weakness that may or may not turn out to be important. This is a
> practical break.
>
> No competent crypto company could be recommending DUAL EC after 2007.
> No speculation about whether they should or shouldn't have trusted NSA
> is needed. After 2007, DUAL EC was a known badly broken PRNG,
> demonstrated a public presentation for respected crytographers. To
> continue to leave it as the default for the next 5 years is a total
> failure at their core business.
>

They were a little subtler.

The NIST standard permits the use of user defined curves. They didn't trust
the Fort Meade folk either. The scheme is secure if you choose your own
curves but most people don't.


In fact the use of a deterministic RNG with that type of trapdoor is
arguably a best practice. It provides a way to audit the operation of a
manufactured device.

The behavior of the device is transparent and deterministic if the backdoor
constants are known and pseudo random and non predictable otherwise.

The device itself has no way to tell if it is being fed trapdoor constants
or not and thus no way to tell if is being audited or not.


-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140120/0a4d0c30/attachment.html>

More information about the cryptography mailing list