[Cryptography] Juniper & Dual_EC_DRBG

Ray Dillinger bear at sonic.net
Wed Dec 23 03:53:41 EST 2015

On 12/22/2015 09:37 PM, Paul Wouters wrote:
> On Tue, 22 Dec 2015, Ray Dillinger wrote:

>> Seventh, the bug that has them using Dual_EC_DRBG in the
>> first place has not, so far, been fixed by their security
>> patch.

> That was not a bug, but a design choice, motivated by unknown to us
> reasons (but surely not speed because it is slow and it also supposedly
> used 3DES which is also slow)

Not a bug??

I beg your pardon?

In what universe is any use of Dual_EC_DRBG not a bug?  It is
known to be flawed, it is known to be inefficient, and it is
known to inspire loathing and distrust of products which use it.
The supposed "theoretical guarantees" that NIST touted for it
are nullified, even if their design worked the way they made it
look like they wanted it to, by using it as a key generator for
a PRNG that does not provide those guarantees.  What possible
attribute could make it anything other than a bug?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151223/23f3c3d4/attachment.sig>

More information about the cryptography mailing list