Are the NIST Standard Elliptic Curves Back-doored?

IamTheRealMike writes "In the wake of Bruce Schneier's statements that he no longer trusts the constants selected for elliptic curve cryptography, people have started trying to reproduce the process that led to those constants being selected ... and found it cannot be done. As background, the most basic standard elliptic curves used for digital signatures and other cryptography are called the SEC random curves (SEC is 'Standards for Efficient Cryptography'), a good example being secp256r1. The random numbers in these curve parameters were supposed to be selected via a "verifiably random" process (output of SHA1 on some seed), which is a reasonable way to obtain a nothing up my sleeve number if the input to the hash function is trustworthy, like a small counter or the digits of PI. Unfortunately it turns out the actual inputs used were opaque 256 bit numbers, chosen ad-hoc with no justifications provided. Worse, the curve parameters for SEC were generated by head of elliptic curve research at the NSA — opening the possibility that they were found via a brute force search for a publicly unknown class of weak curves. Although no attack against the selected values are currently known, it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies. Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation, NIST re-opened the confirmed-bad standards for public comment. Unless NIST/the NSA can explain why the random curve seed values are trustworthy, it might be time to re-evaluate all NIST based elliptic curve crypto in general."

Meta review

[pr0nbot]

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Re:Meta review

[FriendlyLurker]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Exactly. A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable, and they should be put to task over the issue, removed from decision making posts and in the worst cases, professionally shunned by the community and excluded from all standards processes... the cost of not doing this is a return to business as usual once things settle down.

Re:Meta review

[TWiTfan]

Don't worry, James Clapper has assured us that there is nothing to see here--and that the NSA's petabytes of storage, tens of billions of dollars of CPU muscle, and 35,000 employees are just being used to spy on a few diplomats in some embassy in some country that we don't like anyway (probably one of them commie ones).

Now let's all stop worrying about such silly matters and go buy new iPhones!

Re:Meta review

[Nerdfest]

... then perhaps a formal process is required.

Re:Meta review

So I can just replace the NSA's magic-numbers with my own generated from RdRand! *ducks*

Re:Meta review

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

That's easy to explain. Secret orders from secret courts and secret gag orders with secret threats that you will be "relocated" to a secret prison somewhere unless you comply (and keep your objections secret).

Re:Meta review

[afidel]

Suspicious yes, but not necessarily bad, remember that the NSA also manipulated the s-box values for DES to make them more resistant to differential cryptanalysis, a technique not yet known by the wider community.

Re:Meta review

[postbigbang]

Even when pi or rho or other "random" numbers are used for seeds as "magic" numbers, additional hashing and rehashing is needed to give further difficulty to decryption by those NOT having the key numbers.

With each new algorithm there is an army chomping at the bit (pardon the pun) to decrypt it, if not for fun or enlightenment, for the profit of the decrypted information value-- if any.

The problem here is trust. The NSA has blown its trust completely, beyond identifiability. Other initiatives, like SELinux, and security initiatives are now also in question, as well as anything the NSA has touched. They're dirty, and make Americans and the world not trust in their own government. We were supposed to be the good guys, we Yanks, and guess what? It was all a lie. Now the NSA has made an enemy of civil people, and civil people will need to protect themselves extra-governmentally, because the government has proven it's not protecting the interests of its citizenry.

Sorry to astroturf, but seeds are no longer the problem. The problem is trust.

Re:Meta review

[Qzukk]

how do we explain the common practice of using magic numbers in cryptography standard, then?

They came from the government, and the government is here to help.

Re:Meta review

[Bill,+Shooter+of+Bul]

Wow. You butchered a butchered phrase. Truly, the student has become a more smart man- doesn't need school.

Its " fool me once, shame on - shame on you. Fool me - you can't get fooled again."

Re:Meta review

[kelemvor4]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

Explainable magic numbers.

Re:Meta review

[Dan+Ost]

Because the designers of the Linux random number generator code designed things such that if RdRand is compromised, it doesn't reduce the strength of the random number generated. However, if it is not compromised, then the randomness is stronger.

Why should we give up a potential benefit if there is no possible harm?

Re:Meta review

[daremonai]

Iran is not a semitic country, by and large. The majority of the population is ethnic Persians who speak Farsi, an Indo-European language. The second largest group is the Azerbaijanis, who speak a Turkic language. I don't think the semitic population (mostly Arab and Assyrian) amounts to more than 10%.

Re:Meta review

[Carewolf]

Iranians are NOT semitic, they are Aryan, the name Iran literally means home of the Aryans. Named so because that is the one common thing that separates the various Iranian people from their semitic neighbours the Arabs.

Re:Meta review

[X.25]

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Weaknesses?

It is simple. Weakness was 'trust'.

I did want to believe that NSA wouldn't be such cunts as to completely ruin the internet and open research by abusing the trust people gave them. I gave them my trust as well.

They basically destroyed the Internet as we knew it, because much of it was based on trust.

Welcome to collection of commercial networks interconnected for adveritising and content consuming purposes.

Because that's pretty much what's left of it.

hmmm

[wbr1]

Didn't TOR recently upgrade to the 'more secure' elliptic curve crypto?

This shit will not end until this country is bankrupt completely, or taken over (from within or without).

Re:hmmm

[TWiTfan]

The sad thing is that there is no way to ever put Humpty Dumpty back together again. The U.S. just permanently lost any position as a leading internet innovator. Nothing the U.S. leaders of industry can do now will ever earn back the trust of the rest of the world. No country or company in their right mind will ever trust a U.S. company with sensitive data ever again, and most of the companies that currently do are likely just biding time until they can find a non-U.S. based alternative (or some way to heavily encrypt their data).

Re:hmmm

Yes, but they are using curve25519 which is not one of the curves recommended by NSA or NIST, and which does not have any unexplained magic numbers in its definition.

Re: hmmm

[sumdumass]

You will find that the majority of decision makers around the world, whether in buisiness or government, will not care as much about this in the long run as you do.

In other words, what you say should be true in book form but will not be true in practice. Many people/governments will not even bother looking to see who is behind what, they will be looking to see if it is an industry accepted standard and our personal concerns will rarely change those. If it could, we wouldn't see wireless at half these businesses.

Re:hmmm

Yes, but they also use ECDHE TLS p224 to negotiate TLS secret keys. Isn't that recommended by NIST?

I'm not an expert, I'm just asking.

Re:hmmm

[EmperorOfCanada]

Will take time. I suspect that companies like Cisco will sigh a breath of relief over the next few months when sales don't plummet. What they won't realizes is that the biggest companies that have no doubt issued directives for an end to end anti-US snooping overhaul will take a while to figure out what needs to be replaced and which products are best. So while these audits and re-architectings take place these companies will continue with business as usual. And even when the plan is deployed I doubt 100,000 employee companies will just toss all their stuff out on Friday to have it all replaced on Monday. They will start with the most critical bits and work their way down the information value chain. So at this point the Cisco type companies will see a slight drop in sales but even still the companies will continue with maintenance contracts to keep their gear going.

But at a certain point you will have an interesting problem. That is that these companies will begin to dump their Cisco gear onto the open market. So along with a sudden drop in sales to key customers you will have a glut of un-trusted gear flood the market.

I use Cisco as an example but you can sub in any American (or American stooge country) networking gear company.

I also expect to see a flourishing of cryptography in various foreign math departments around the world. If I were a Siemens I would be giving fairly large grants to German/Swedish/Norwegian etc math departments to do two things, check for backdoors and to come up with crypto systems that are quite unlike anything that the NSA has recommended.

But switching crypto systems is not as easy as just coming up with something that a bunch of math wizards think is solid. Things like AES crypto is baked right into many modern chip sets at the assembly instruction level. This is why AES based crypto is fantastically fast. So if your new system is different enough yet theoretically computationally equivalent to AES then it will be significantly slower on most chips.

One of the interesting changes that will probably come from this is that people won't trust anything. Thus they will run in 100 different directions. This will be a nightmare for the NSA because even if they can brake every crypto system that comes along they will have to spend the time to break them all.

But there is one system that can't be broken and that is one time pads. You have to physically share the pad but that is not so onerous for most companies as they have trusted employees going from branch to branch all the time. If the border people grab a copy of the OTP then you just toss it in the garbage. Plus one time pads can be layered. So you don't need to trust just one person taking one route.

Re:hmmm

The sad thing is that there is no way to ever put Humpty Dumpty back together again. The U.S. just permanently lost any position as a leading internet innovator.

And because having worked for NSA or NSA-linked contractors is seen as a black mark on one's academic career, NSA has also jeopardized its own ability to recruit the next generation of cryptographers.

There's give and take between the SIGINT and COMSEC missions, and nobody here (or within the IC) is privy to all the information. I fear that by the time it's all declassified in 25 years and can be analyzed in context, the decisions made over the past 12 years will have proven to be gross strategic errors that did far more harm than any harm they prevented.

Re: hmmm

[Lumpy]

Or if the NSA back doors get compromised and are in the wild. Suddenly the Idiot CTO's will take notice.

Re:hmmm

[jasax]

If I were a Swiss, I would start a "safe databank service" company right now. The slogan would be:
"We kept your money safe (and secret) for hundreds of years; we invented the cuckoo clock; we'll keep your secret data safe for the next thousands of years!!!"
Big business here :-) Kickstart the thing!

Re:hmmm

[joe_frisch]

I think that American users have more to fear from US government spying than foreign users do. Frankly I don't care if the Chinese government has access to all of my personal data - they have very little ability to or interest in interfering with my life. The US government on the other hand is much more likely to act against me in response to my (hypothetical) online mis-behavior. In the same way Chinese citizens have little to fear from the US government but a lot to fear from their own.

The very important exception to this is when you are dealing with industry trade secrets it is quite possible that foreign governments with links to industry represent a larger threat than your own. Of course while the NSA as an organization almost certainly does not sell trade secrets that they have obtained, it is possible that individuals working for the NSA might do so. Snowdon stole a bunch of information and turned it public, another man in the same situation might well have sold it.

Re:hmmm

[HornWumpus]

The Swiss recently sold all the numbered account holders that didn't open their accounts prior to 1950 down the river.

The old money families (Kennedys, DuPonts etc) got to keep their secret accounts secret. Everybody else got fucked.

Re:hmmm

[chill]

Those who don't know history are doomed to repeat it.

http://en.wikipedia.org/wiki/Crypto_AG

Why is EC more secure than RSA?

[pikine]

Color me ignorant, but could someone please explain that elliptic curve is more secure than RSA? Wikipedia even claims that a 128-bit EC key is equivalent to 3072-bit RSA key. Even if it's computation complexity brute forcing discrete log or integer factorization on a non-deterministic turing machine, it should differ by no more than a small constant factor, e.g. 512-bit versus 1024-bit, not by O(sqrt(n)) as Wikipedia claims. Wikipedia is simply quoting NSA.

Re:Why is EC more secure than RSA?

The number field sieve relies on the smoothness of the integers modulo n. Using an elliptic curve group rather than the integers modulo n removes this smoothness, so the fastest algorithms available to determine the discrete logarithms are much slower (I believe they're based on Pollard's rho algorithm).

If that made no sense to you, go brush up on your number theory.

If you don't want to learn number theory, then accept that you are incapable of having an informed opinion on asymmetrical cryptography standards. (Which is okay, we can't all have an informed opinion on every issue; your brain can only hold so much stuff, right?)

Re:Why is EC more secure than RSA?

[gnasher719]

A 1024 bit RSA key can trivially be cracked in 2^512 operations. An algorithm that uses 2^341 operations (cube root) and involves no more than high school maths was found about 1975. Then we need to go into deep maths, but there are algorithms that are significantly faster, and there is no good reason to think that more progress couldn't be made. 128 vs 3072 is a bit much, but factoring 1024 bit numbers in 2^128 operations doesn't seem impossible.

Re:Why is EC more secure than RSA?

Public key cryptography is based on mathematical operations which are easy to do but difficult to do in reverse. For example, it is easy to multiply two big prime numbers, but it is difficult to factorize the product. There are multiple such easy-difficult pairs. Currently none of the supposedly difficult problems has been proven to be difficult. It is just assumed that they are difficult because nobody has found an easy way, but people are working on making the difficult problem easier to solve, and advances in that regard weaken the associated cryptographic systems. Significant advances have been made in solving the difficult problem at the heart of RSA (but it's not publicly broken yet.) That's the reason for the recommendation to switch to a different easy-difficult pair for public key cryptography. The different key sizes are the result of the kinds of numbers which form the public and private keys in these different algorithms.

Re:Why is EC more secure than RSA?

The discrete log problem on an elliptic curve is believed to be more computationally intensive than the discrete log problem in a ring of integers. For example, see http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866109-5/S0025-5718-1987-0866109-5.pdf and http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=F220DD223483B78B72C9CE243A62ADD7?doi=10.1.1.39.4125&rep=rep1&type=pdf

Re:Why is EC more secure than RSA?

[lordlod]

The elliptic-curve algorithm is much slower for future quantum based attacks. So it's future-proofing, which is required if you want your secrets to stay secret.

You could get similar results by adopting a 15000 bit RSA key... but that's getting rather large.

A paper with some classical and quantum time estimates, Elliptic-Curve vs RSA: http://arxiv.org/pdf/quant-ph/0301141v2.pdf

Re:Why is EC more secure than RSA?

[complete+loony]

An RSA private key is two prime numbers, the public key is the product of those primes. You only have to find the smaller of the two secret primes, so a full brute force search only has to consider numbers that are prime and less than the square root of the public key size. And I believe there are a number of other shortcuts that can be used to reduce the search. Whereas for EC keys (AFAIK) practically all of the key space of 128-bit integers are valid private keys.

Re:Why is EC more secure than RSA?

[mlts]

I am pretty sure that NeXT took it out because crypto was classified as a munition back then under ITAR, so it was yanked out in a subsequent version. Instead, it had this pseudo public key applet where one could type a password, and the public key was something generated from the password, so when you wanted to sign or decode something, the password was the private key.

I think it was the NSA or someone who goaded Apple into having decent security put in, from the improvements in how passwords were stored in OS X (first hashed, now salted and hashed with multiple rounds), to having decent full disk encryption.

I don't think any large company wants to be particularly crypto-friendly unless they are selling to a niche enterprise market. There is always a fear that one of the Four Horsemen of the Infocalypse would use their product and the police/LEOs will be saying to the press that if it were not for foobar's product, these criminals would have been caught and lives of children not lost, or why is their security product so good that only "terrorists" would use it.

I do agree about trying to get gpg [1] on a Mac. One either is forced to trust the mac port, or have to fetch a ton of libraries and build the prereqs to compile a usable gpg binary. Of course, one can use the commercial product from Symantec, Symantec Encryption Desktop Professional, but the price of that is pretty steep (think around $258.25.)

iOS is even worse. Good luck deleting root certificates from the device that you don't want. You trust what Apple says you need to trust, or go find another device to use. PGP/gpg apps are available for iOS, but the quality of the apps is "meh" at best, especially if you want to encrypt files before throwing them on an archive server, or use more advanced OpenPGP functionality like storing multiple files in one packet.

Most companies seem to have gone the "BYOC" (bring your own crypto) route other than Linux distributions and BSD variants. Yes, one -can- grab a binary, but how can you trust it, unless you download the binary to a trusted system with an existing copy and validate it there.

[1] PGP [2] is a very mundane, boring tool. However, it has stood the test of time, being standalone and not dependent on an OS, a CA system, a licensing model, or other factors. It has become so boring that it has been largely ignored except as a signing tool for OS distributions. It would be nice to see PGP keysigning parties again, or other ways to build one's personal web of trust.

[1]: I'm stating PGP as a superset of NetPGP, PGP, and gpg -- a utility that groks OpenPGP files, basically.

Not shown to be good

Why are people even asking if it's been backdoored? It's already established that no one can explain the constants. It hasn't been shown to not be backdoored. That's enough to prove beyond the shadow of a doubt that it's wrong. Arguing about whether the standard is compromised by mere incompetence or malice, isn't worth spending time on.

If you don't know something is done right, then that alone is irrefutable proof that it has been done wrong. Even if they're good constants.

Re:Not shown to be good

[somersault]

It hasn't been shown to not be backdoored

You can't really prove that something doesn't have a back door without putting in enough resources to find all the back doors there could possibly be.. so that doesn't make much sense either.

Re:Not shown to be good

[Chacharoo]

I wish the parent were modded up. It's the loss of trust that's the bottom line. The constants may well not be back-doored. Or they may be. But once the trust is gone, and there's no verification of how the numbers arose in the first place, it's already too late.

Re:Not shown to be good

[Entropius]

If you find out that the locksmith who installed your locks is working for the mob, changing your locks is probably a pretty good idea. Do you know that he's given them a copy of the master key? No, but a locksmith getting paid by the mob usually means only one thing...

Replaced security with obscurity

The essence of what the NSA did, was to replace cryptographic security with security through obscurity. People who haven't found the back door yet don't know its there. Classic 'security via obscurity' that is the opposite of crypto.

Now everyone knows they're there, we need to replace them damn fast. Waiting for the backdoor to be verified is too late, by then bad actors (I mean ones other than General Alexander) could already have found it.

Replacing these takes time, and so the assumption should be they are vulnerable, because the NSA leaks show the NSA knows they are vulnerable, even if we don't quite know the micro detail of how, yet.

We owe our thanks to Mr. Snowden

[Taco+Cowboy]

... A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable

This, and many other expose, can only come to light, because of the courage of a single person - Mr. Edward Snowden.

If not for Mr. Snowden, would we ever discover the phenomenon of the "magic number" ?

If not because of Mr. Snowden, we wouldn't even begin to question the integrity of those previously highly regarded "very important people".

If not for his courage, how much more damage all of us have to suffer ?

And yet, inside the United States of America, there are still people equating Mr. Snowden as though he is a traitor.

And even here in Slashdot, we have posters posting very stinging attack on Mr. Snowden.

Our country is under attack, and the attacker is our own government, but yet, there are still Americans who will do everything to help deepen the tyranny, all in the name of "patriotism".

I, an American citizen, do owe my deepest thanks to Mr. Edward Snowden, and I do hope that more of my fellow Americans should start acknowledge something very very wrong has happened to America, the country we love so much, and that we should start doing something together, to RIGHT THE WRONGS.

There have been too many comments that essentially convey the message that we, the People of America, have no power to determine our own future, and that our government, is so overwhelmingly powerful that we are ready to become their slaves, rather than stand up and oppose the tyranny.

Is America still the land of the free, and the home of the braves ?

Or has American turned into the land of the enslaved, and the home of the cowards ?

The choice is on your hand, my fellow Americans.

Either we start righting the wrongs now, or we will end up handing over to our children a country of tyranny.

Are we going to let our children suffer because of our cowardice ?

You are the only one who can answer the question.

Re:We owe our thanks to Mr. Snowden

[j3thr0]

Except that this came to light back in 2007. http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

Re:We owe our thanks to Mr. Snowden

[rvw]

Except that this came to light back in 2007.
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

So why has nobody fixed this in the past six years? Thanks to Snowden it's back in the spotlight, and now it seems like action is being taken. That's his legacy. I thank him for that.

Re:We owe our thanks to Mr. Snowden

[IamTheRealMike]

That story is about Dual_EC_DRBG which was indeed strongly suspected of being an NSA back door back in 2007. Snowden confirmed the suspicion. However this story is not about that algorithm. It's about the SEC random curves that are used for signing and other crypto, not random number generation. There are two different algorithms under discussion here.

Re:We owe our thanks to Mr. Snowden

[lkcl]

if you've seen the film with nicholas cage, it highlighted for me for the very first time that the U.S. Constitution was written by some extremely fore-sighted people. there are specific words in it which not just permit but *OBLIGATE* you - each and every american citizen - to overthrow any government that has become tyrannical or otherwise lost its way.

given that america has such a significant hold over the rest of the world, *i* as a UK citizen am obligated to point this out to you, because by not doing so it will have an adverse effect (through erosion of sovereign rights of each and every country - erosion initiated by the corrupt U.S. Govt infrastructure) on *my* country to whom *i* hold allegiance.

so - get to it, americans - get your act together!

Re:We owe our thanks to Mr. Snowden

[MickLinux]

The keys to the definition of kook are held by the government. If you want to know the truth, you have to ignore the label kook.
 

That doesn't mean that all kooks have the truth. It means that the label kook is often a slanderous title used to hide the truth.
 

Look at syzygyjob.com, and see the earthquake prediction by Jack Coles. He's rotting in prison even as he does it, calls in his predictions by collect call. I have no idea what he did or is supposed to have done to warrant prision, but I do know that Jim Berkland has asserted on the www that he was committed to a mental hospital for the offense of saying to the court that his occupation was earthquake forecaster.
 

Now,. I suspect that Coles is misinterpreting his data. I think that he believes that the radio signals he gets are piezoelectrically induced, whereas they may be simply the result of the reflection of broadcasted waves, off microdust in the atmosphere, caused by slow-slip quakes. Big whoopdedoo. He can be wrong; I'm probably wrong; but that doesn't make his statement that he is an earthquake forecaster false. Nor does it require a person to be committed to a mental hospital.

That is the power that our government wields, Are we now in an age, when nonconformance means assignment to a prison, without rights, under the name of "mental health"? So what is the difference between that, and the Nazi government before it destroyed a quarter of the world, ending with Germany and itself?
 

If you want to have a chance at knowing the truth, drop the term kook. Or take it as a badge of nonconformance.

Re:We owe our thanks to Mr. Snowden

[chuckinator]

Elliptic curve cryptography looks great on a machine running HollywoodOS at your local cineplex, but I have yet to see a single convincing argument for using it for real life cryptography beyond the cool factor and a bunch of hand waving. It's weak and suffers from weird factorization and Fourier based cryptanalysis, and it's simply inferior to exponentiation based algorithms such as those using in Diffie-Hellman variants, RSA, DSS, krb5, etc.

Re:We owe our thanks to Mr. Snowden

Before it came to light as a theoretical possibility. People could see that the possibility existed, however accusing the NSA of having used it would be accusing them of deliberately and knowingly weakening the security of systems designed to be used in defence of their country. That is a pretty serious accusation against people who essentially work for the military. Most people's belief in innocent until proven guilty made that a hard case to make.

Now, thanks to Snowdon, we know they have been weakening system security for their own convenience. Suddenly many people's old viewpoints have become obviously naive.

Re:We owe our thanks to Mr. Snowden

[alexgieg]

we should start doing something together, to RIGHT THE WRONGS.

The problem is that whenever discussions on these topics come about, the proposed "solutions" are always framed within the rules set by the power elites. And the power elites are this because they are masters of this game. In fact, they've mastered it so much that nowadays even violent revolutions are no exceptions, they also fit within the rules, just another subset of the same old game.

No, the actual solution is to break the rules altogether. Throughout history what managed to alter the rules the most were technological and scientific changes. But only alter, because they still mostly happened at a pace master manipulators (politicians, statesmen and other power hungry individuals) could deal with. So to actually break the rules technological change must come at even faster rates, to the point it surpasses human ability to keep pace altogether. And by that I don't mean merely politicians' ability. Organizations like the NSA employ the brightest of the brightest. That's the level that must be overcome.

What will right the wrongs then, if we happen to do it right, will be molecular nanotechnology-controlling friendly exponentially self-improving general artificial intelligence, a.k.a. the Singularity. The flip side of the coin is that not doing it right will mean the extinction of the human species, as a non-friendly one won't have any reason to keep us around. In any case, one way or the other it'll be the ultimate rule breaker, the one after which everything that came before will be meaningless.

So, we should really focus on that. The first research institute (or garage or basement) to manage it will change everything, for better or worse. As for the standard alternatives though, nope, they're just more of the same.

Re:We owe our thanks to Mr. Snowden

[twotailakitsune]

The DES "S-boxes" were magic numbers that people believed it was a backdoor. It took years for people to see that it closed weaknesses. The way the NSA work, they can't talk about why they put in the magic numbers. Not that we should not try to find out what the numbers do. If we change the "magic number" without learning that it really is a weakness, we could end up making Elliptic curve weaker.

Re:We owe our thanks to Mr. Snowden

[s.petry]

When it came to light in 2007 why was it tamped down and not dealt with? Is there a history that needs to be audited to explain why it drifted (was pushed?) back into obscurity? Perhaps there's even more value in investigating this. Could there be agents that need to be identified and rooted out?

Because the same corrupt people doing bullshit like this own the media, and have sock puppets for sites like /.. How hard is it for them to currently push things off the front page by submitting numerous seemingly technical articles? How hard is it for people to divert traffic to a "we hate microsoft" thread? I would say just as hard as it is for TV to divert your attention from Syria by showing a nearly naked teenager humping teddy bears.

Hopefully, after all is said and done people catch on and stop falling for the games.

Re:We owe our thanks to Mr. Snowden

[Em+Adespoton]

We might have discovered these magic numbers if anyone ever critically analysed this document.

Apparently "security experts" just blindly do things and don't critically examine what goes on.

Scientists have been finding wrong analyses and bringing them down for centuries. In fact, I could read any journal issue in my field and find at least 5 utterly wrongheaded analyses of things. YOU HAVE TO READ SHIT.

More than this, you have to speak up, and having spoken up, you have to be heard.

I'm pretty sure that you'll probably find a number of papers in the field that have been published for years talking about the fragility of SEC random curves as selected. There are probably dozens of people jumping up and down right now saying "I told you so!" -- the issue is that nobody listened to them (and likely still aren't listening to them).

Re:We owe our thanks to Mr. Snowden

[mdielmann]

Wrong. The big problem is the government wants a way to see your data, unconditionally, whether or not you have ever done anything wrong, preferably without you knowing. Their willingness to store the keys somewhere, probably unsafely, for their convenience, rather than putting a back door that someone else might stumble upon is a very minor thing, comparatively.

The Clipper episode doesn't give you insight into technique, in this case. It gives you insight into intent.

Re:We owe our thanks to Mr. Snowden

[Darinbob]

It wasn't until I saw a Marx Brothers movie that I fully understood communism.

Re:Reference?

[IamTheRealMike]

Sorry, I could have provided a link for that too. It was in the major Snowden story of last week that revealed the NSA was undermining public standards. The New York Times said this:

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

“Eventually, N.S.A. became the sole editor,” the memo says.

Although the NYT didn't explicitly name the bad standard, there's only one that fits the criteria given which is Dual_EC_DRBG.

Open letter to the NSA

[aaaaaaargh!]

Dear NSA,

Since I'm getting tired of these stories and it seems kind of unfair that you're getting all the heat recently, here is my suggestion how you could improve your PR image by doing something to our mutual benefit:

Please use your supercomputers for a few months to aggressively mine Bitcoins and Litecoins. That would make you (virtually) richer than you already are and free me and the rest of the world in future from annoying Bitcoin-mining stories.

If you like this idea, consider donating some Bitcoins to me. You know where to find me.

Thank you for your attention and best regards,

aaaaaaargh!

Re:Open letter to the NSA

They are ALL open letters to the NSA.

Re:Reference?

[afidel]

Bruce Schneier talked about DRBG being a probable backdoor back in 2007.

Justified paranoia

[return+42]

I think we are all going to have to be a lot more paranoid from now on about the public comments NIST gets on crypto standards. We can count on NSA to continue to try to mess with the standards, but they won't do it openly. They'll use proxies with no traceable connection to NSA. The crypto experts will have to examine these things a lot more carefully. Hanlon's razor won't cut it anymore.

Factoring integers versus Discrete Log in EC group

[betterunixthanunix]

The difference boils down to factoring integers versus computing discrete logarithms in elliptic curve groups. The best publicly known integer factorization algorithm is GNFS which runs in roughly O(2^(n^1/3)), whereas the best publicly known ECDLOG algorithm runs in O(2^(n^1/2)). That is why we need RSA keys that are so much larger than ECC keys.

That, of course, is a theoretical argument. In practice, there are other issues to consider. ECC has a lot of parameters and there are a lot of constraints on the curve you choose; this means there are a lot of things to get wrong. RSA is not technically secure on its own (and the construction used to make it secure is easy to get wrong), but related systems like Blum-Goldwasser (which is based on a related problem, the Quadratic Residuosity Problem) are and they have many fewer parameters. The code for such systems is also simpler, which makes it more straightforward to audit (and harder to hide backdoors).

Not paranoid *enough* ?

[pla]

I only see people discussing the first-level implications to privacy and security of the NSA having chosen parameters that lead to a somehow-weak curve. Except - That doesn't take any special NSA magic, they just cheated up front.

Such discussion completely overlooks the much bigger problem here, however - The NSA chose parameters that give a weaker curve. Parameters generated as the output of hashing them with SHA1.

The ability to choose parameters strongly suggests that the NSA has a way to produce input texts that yield a desired SHA1 hash. That takes special NSA magic, and should really count as the FP story here, not the far less impressive trick of stacking the deck in their favor.

Re:Not paranoid *enough* ?

[skids]

SHA1 has been deprecated (mainly as a precaution, but with evidence that attacks were starting to gain a small foothold) since 2005 (by NIST itself even) in favor of the SHA2-240/256/384/512 suite. The question really is why did the selection of SHA1 over a SHA2 variant (I assume in 2007 since that is when the first draft of what became RFC 5639 was published) not raise red flags, in addition to the from-the-sleeve seeds?

Re:Isn't it time we take back our own country ?

[meta-monkey]

I nominate Anonymous Coward.

Re:Is Bitcoin Vulnerable?

[Sique]

So for the NSA to kick out the really problematic implementations, the really secure ones, those they didn't find a backdoor in yet, the NSA will just recommend them?

Re:Isn't it time we take back our own country ?

[meta-monkey]

Because those are terrible ideas that will have zero effect.

The only way to beat a bureaucracy is at the polls, from the ground up:

1) download your local laws.

2) open in text editor.

3) hack to make them better.

4) get friends/randoms to run for city council with/for you based on those better laws.

5) campaign via social media/crowdfunding

6) win election. Enact laws. Acquire control of pre-built militarized police and tax money

7) use police to fight corruption, taxes to promote education, civic responsibility, transparent government

8) repeat for each city then county then state then nation.

9) ???

10) don't profit because you can't really take lobbying bribes for a distributed lawmaking system.

Re:Isn't it time we take back our own country ?

[Atzanteol]

It's past that point. Nobody we would want to run would win. If you're not in the two big parties you get no media attention, no money, it's significantly more difficult to get included in debates, etc. IOW it's a doomed candidacy.

Re:Reference?

[IamTheRealMike]

I just found this new blog post from the NYT which gives a very small amount of additional context. It also explicitly names the NSA RNG as what they were talking about.

http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/

But internal memos leaked by a former N.S.A. contractor, Edward Snowden, suggest that the N.S.A. generated one of the random number generators used in a 2006 N.I.S.T. standard — called the Dual EC DRBG standard — which contains a back door for the N.S.A. In publishing the standard, N.I.S.T. acknowledged “contributions” from N.S.A., but not primary authorship.

Internal N.S.A. memos describe how the agency subsequently worked behind the scenes to push the same standard on the International Organization for Standardization. “The road to developing this standard was smooth once the journey began,” one memo noted. “However, beginning the journey was a challenge in finesse.”

At the time, Canada’s Communications Security Establishment ran the standards process for the international organization, but classified documents describe how ultimately the N.S.A. seized control. “After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft,” the memo notes. “Eventually, N.S.A. became the sole editor.”

The Guardian, ProPublica, the NYT and Schneier all appear confident enough in what they've read to state assertively that it's a hacked standard. Also, why else would the NSA care so much about pushing a crap and slow RNG that we know can have a backdoor into international standards?

They know me

[Taco+Cowboy]

Thank you Mr. Taco Cowboy (if that's your real name). The FBI should be visiting soon. Please hide your dogs, for their own sake.

Almost every single time I posted a comment that hits the bull's eye someone would counter it with a veil threat, like the above.

FYI, they know who I am.

I came from China, I am a naturalized citizen of the United States of America, and I am currently not living inside the U.S. of A.

In my younger days, I also was involved in some (still secret) military programs.

They have my dossier. They know where I am.

If they want to take me down, they can, any time.

But I am not important. I am expendable.

What is important is the future of my country, the United States of America.

As I said, I came from China, I had had first hand experienced the terror of Tyranny, with a capital "T".

What I, and millions of my former comrades in China had suffered through, I would NOT want you guys in America to go through.

The terror of Tyranny is much more than any Hollywood movie could ever convey.

Go ahead, threatening me more, if that is the thing that makes you feel good.

I have gone through the baptism of hell back when I was in China, death is nothing to be afraid of.

As I said, I am expendable, but the United States of America is not.

Re:They know me

[spire3661]

This is a very Chinese attitude. The nation can crumble around me, if it is deemed corrupt. It is the IDEALS that drive us. When we lose our ideals, we lose the country.

Re:Is Bitcoin Vulnerable?

[DrXym]

To give everyone a laugh at libertarian nerds who thought it was a great idea to invest in it.

Agree: make a new fully open process, open source

[mrflash818]

Agree: make a new fully open process, open source encryption system, fully peer-reviewed, global internet participation possible, just like the Linux kernel.

Perhaps, like kernel.org, there can be FOE.org (Fully Open Encryption dot org) created.

Then that can be collaborated on via git, the developer community, and the security community. ...just my two cents.

Re:Trusting Trust

[ColdWetDog]

Ken Thompson's article "Reflections on Trusting Trust" seems to apply here.
http://cm.bell-labs.com/who/ken/trust.html

Even if the numbers are corrected, we have no guarantee that a lower-level system isn't undoing that work. Backdoors can (and probably do) exist in not only compilers, but in hardware. If this is the case, then broken encryption parameters are far less important. For example, git uses SHA1 for encryption. Assuming the scheme isn't already broken, it is likely possible to generate a collision with brute-force (especially if you need only one number). If some link in the git chain were thus broken, a replacement file with a backdoor payload could be injected (eg. in the confusion surrounding the gnu.org repos being hacked). As ken points out, once that initial injection is made (assuming it is of sufficent quality) it can be used to add anything to future compiled versions.

This must be the reason my checking account never balances.....

And was on slashdot in 2007 as well

[gr8_phk]

http://it.slashdot.org/story/07/11/15/184204/new-nsa-approved-encryption-standard-may-contain-backdoor I remember at the time it seemed to be confirmed that there IS a backdoor. The question of weather anyone knew the magic numbers to open that door seemed obvious at the time as well - the NSA chose the numbers. It would go against everything they stand for NOT to have the keys.

Side note: Contrary to what some folks claim, this does not make the system weak against any foreign enemy, criminals, or hackers. It makes it weak only to the NSA so long as no one else discovers the master key. Not that this makes it ok, just not as bad as some claim.

Re:And was on slashdot in 2007 as well

[twotailakitsune]

NSA also picked the boxes in DES. For years people believed it was to make a backdoor. Then people learned that the NSA know of a weakness that they closed by picking the boxes.

Fully Open Encryption

[mrflash818]

There may be a solution to the NSA problem:

Make a new fully open process, open source encryption system, fully peer-reviewed, global internet participation possible, global peer review possible.

Use the development of the Linux kernel as a model. Use the global participation of Debian as a model.

Perhaps, like kernel.org, there can be FOE.org (Fully Open Encryption dot org) created.

Then that FOE system and software can be collaborated on via git, the developer community, and the security community. ...just my two cents.

Churchill Corollary

[ThatsNotPudding]

No country or company in their right mind will ever trust a U.S. company with sensitive data ever again, and most of the companies that currently do are likely just biding time until they can find a non-U.S. based alternative (or some way to heavily encrypt their data).

The US government is the most untrustworthy government - except for all the others.


:(