New NSA-Approved Encryption Standard May Contain Backdoor

← Back to Stories (view on slashdot.org)

New NSA-Approved Encryption Standard May Contain Backdoor

Posted by Zonk on Thursday November 15, 2007 @06:21AM from the find-out-by-knocking dept.

Hugh Pickens writes "Bruce Schneier has a story on Wired about the new official standard for random-number generators the NIST released this year that will likely be followed by software and hardware developers around the world. There are four different approved techniques (pdf), called DRBGs, or 'Deterministic Random Bit Generators' based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. The generator based on elliptic curves called Dual_EC_DRBG has been championed by the NSA and contains a weakness that can only be described as a backdoor. In a presentation at the CRYPTO 2007 conference (pdf) in August, Dan Shumow and Niels Ferguson showed that there are constants in the standard used to define the algorithm's elliptic curve that have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG."

5 of 322 comments (clear)

Min score:

Reason:

Sort:

Re:Trust the Spies by Doc+Ruby · 2007-11-15 09:50 · Score: 0, Flamebait

Hmm, how is this secure when you passed the password in plaintext? Do you think the NSA is that naive?

--
--
make install -not war
Re:Already Found It by Doc+Ruby · 2007-11-15 11:55 · Score: 0, Flamebait

The execs who run the NSA are responsible for letting bad math out the door, as well as for breaking the law.

--
--
make install -not war
Re:Trust the Spies by Doc+Ruby · 2007-11-15 15:35 · Score: 0, Flamebait

t's not a "panacea". It's just a way of working. That's better than the alternative. As well as to say that "binary" is a panacea. There's always a lot of work to do. Open source is just the only way for that work to have any chance to reliably succeed.

--
--
make install -not war
Re:Trust the Spies by Doc+Ruby · 2007-11-15 17:10 · Score: 0, Flamebait

"It doesn't matter how many eyes you have on it"? If the NSA made its algorithms secret, and required we all just use black boxes, that would be a lot less secure.

And before you call that fiction, remember that today's NSA is the product of 7 years of the most secretive, abusive, and untrustworthy presidency in history. Which has perverted the NSA beyond recognition as an American agency. They were never any saints, but if you don't think more eyes on their work is better, then that just means they don't have to waste any more time fooling you.

--
--
make install -not war
Re:Trust the Spies by Doc+Ruby · 2007-11-16 02:21 · Score: 0, Flamebait

Thanks for mentioning that. When I read this story, my first thought was of the Clipper chip, and "key escrow". Security model: "trust us, we're from the government". It wasn't worth believing then, and now, after a decade of Republican honesty in government, it's like diet of tainted government cheese.

--
--
make install -not war