[Cryptography] [FORGED] Re: "NSA could put undetectable “trapdoors” in millions of crypto keys"
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Oct 11 23:36:37 EDT 2016
james hughes <hughejp at me.com> writes:
>The problem is not the algorithm, it is the improper standardization of
>random parameters and the inflexibility of the protocols to allow these
>parameters to to be used as designed.
I'm not sure if it's really that bad. IPsec has predefined groups,
CMS / SMIME uses the X9.42/DSA format but then no-one uses DH in S/MIME
anyway, SSH had predefined groups but switched to the server-specifies-the-
group, but many use e.g. the RFC 3526 parameters which you can check for
and fastpath, and TLS has the TLS-LTS draft which fixes the problem there.
So the problem areas are really SSH with unknown-provenance negotiated
parameters and TLS without TLS-LTS with the same thing. However even there
the potential attack seems a bit unclear, someone would have to convince a
server operator to adopt booby-trapped parameters. Sure, you may be able to
do that, but then you can probably also persuade them to install this little
server-side plugin that optimises performance or something, don't bother
scanning it with your AV, it's perfectly legit.
Peter.
More information about the cryptography
mailing list