[Cryptography] Juniper & Dual_EC_DRBG: Why Now?
hbaker1 at pipeline.com
Wed Dec 23 19:25:42 EST 2015
At 08:05 AM 12/22/2015, Henry Baker wrote:
I'm seeing hands in cookie jars... Also,
>The louder he talked of his honor, the faster we counted our spoons...
>'The U.S. officials said they are certain U.S. spy agencies themselves aren't behind the back door'
>'... because of the sophistication involved' ;-)
>Newly discovered hack has U.S. fearing foreign infiltration
OK, I've tried to read all the reports & blogs about this to get some sense of what's happening here.
The best question of all: "why NOW?"
This dog has been sleeping for years; what woke him up?
My best guess: politics. Due to the looming possibility of Congress *requiring* back doors, someone at the NSA finally woke up & realized that backdoors for Comey & Vance would put the US more at risk than any possible advantage in intelligence. Another OPM caused by such a backdoor would get someone high up in the NSA fired -- even if it needed to happen in private.
In fact, just recently, a number of retired intel folks have said as much, but Congress & the Chicken Little prez candidates hasn't been listening.
(It also helps that the open crypto & security communities were fast closing in on this EC B.S.; make lemonade out of lemons by preemptively being the "good guy" here.)
So, whether NSA put the back door into Juniper or not, the NSA *knew about its existence* -- possibly by monitoring whomever else *did* know about it -- and so the NSA could easily cause this bug to get disclosed & hence fixed.
The NSA could always claim that the "just now found out about it", and was acting like the good guy by getting it fixed. It never has to acknowledge that it may have been using this vuln itself for years.
More information about the cryptography