[Cryptography] Juniper & Dual_EC_DRBG

David Wong David.Wong at nccgroup.trust
Tue Dec 22 17:16:48 EST 2015

> Do we have more explanations now ? :-)

There is a better explanation now from matthew green: http://blog.cryptographyengineering.com/
and rpw: https://rpw.sh/blog/2015/12/21/the-backdoored-backdoor/

looks like Q was changed 3 years ago, not P (not unsual since P is the standard generator) and nobody noticed.
It was a successful backdoor because you could easily get fresh random output from dual ec, eventhough juniper says you couldn’t. Apparently it was because of an earlier “bug”.
How come they realized this _now_? (http://seclists.org/dailydave/2015/q4/57)

Also here some explanations I made about dual ec if you want a crash course on the backdoor prng https://cryptologie.net/article/287/dual-ec-or-the-nsas-backdoor-explanations/

Also number2, some stuff I wrote about looking for the NSA’s values in dual ec implementations, and how to get Q’s y coordinate with sage: http://cryptologie.net/article/315/how-to-check-if-a-binary-contains-the-dual-ec-backdoor-for-the-nsa/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151222/d94ead03/attachment.sig>

More information about the cryptography mailing list