Are the NIST Standard Elliptic Curves Back-doored?

IamTheRealMike writes "In the wake of Bruce Schneier's statements that he no longer trusts the constants selected for elliptic curve cryptography, people have started trying to reproduce the process that led to those constants being selected ... and found it cannot be done. As background, the most basic standard elliptic curves used for digital signatures and other cryptography are called the SEC random curves (SEC is 'Standards for Efficient Cryptography'), a good example being secp256r1. The random numbers in these curve parameters were supposed to be selected via a "verifiably random" process (output of SHA1 on some seed), which is a reasonable way to obtain a nothing up my sleeve number if the input to the hash function is trustworthy, like a small counter or the digits of PI. Unfortunately it turns out the actual inputs used were opaque 256 bit numbers, chosen ad-hoc with no justifications provided. Worse, the curve parameters for SEC were generated by head of elliptic curve research at the NSA — opening the possibility that they were found via a brute force search for a publicly unknown class of weak curves. Although no attack against the selected values are currently known, it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies. Now that the world received strong confirmation that the much more obscure and less widely used standard Dual_EC_DRBG was in fact an NSA undercover operation, NIST re-opened the confirmed-bad standards for public comment. Unless NIST/the NSA can explain why the random curve seed values are trustworthy, it might be time to re-evaluate all NIST based elliptic curve crypto in general."

Meta review

[pr0nbot]

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Re:Meta review

[FriendlyLurker]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

As well as reviewing the standards themselves, I hope someone is reviewing the processes which allowed these weaknesses to get into the standards.

Exactly. A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable, and they should be put to task over the issue, removed from decision making posts and in the worst cases, professionally shunned by the community and excluded from all standards processes... the cost of not doing this is a return to business as usual once things settle down.

Re:Meta review

So I can just replace the NSA's magic-numbers with my own generated from RdRand! *ducks*

Re:Meta review

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

That's easy to explain. Secret orders from secret courts and secret gag orders with secret threats that you will be "relocated" to a secret prison somewhere unless you comply (and keep your objections secret).

Re:Meta review

[afidel]

Suspicious yes, but not necessarily bad, remember that the NSA also manipulated the s-box values for DES to make them more resistant to differential cryptanalysis, a technique not yet known by the wider community.

Re:Meta review

[postbigbang]

Even when pi or rho or other "random" numbers are used for seeds as "magic" numbers, additional hashing and rehashing is needed to give further difficulty to decryption by those NOT having the key numbers.

With each new algorithm there is an army chomping at the bit (pardon the pun) to decrypt it, if not for fun or enlightenment, for the profit of the decrypted information value-- if any.

The problem here is trust. The NSA has blown its trust completely, beyond identifiability. Other initiatives, like SELinux, and security initiatives are now also in question, as well as anything the NSA has touched. They're dirty, and make Americans and the world not trust in their own government. We were supposed to be the good guys, we Yanks, and guess what? It was all a lie. Now the NSA has made an enemy of civil people, and civil people will need to protect themselves extra-governmentally, because the government has proven it's not protecting the interests of its citizenry.

Sorry to astroturf, but seeds are no longer the problem. The problem is trust.

Re:Meta review

[Bill,+Shooter+of+Bul]

Wow. You butchered a butchered phrase. Truly, the student has become a more smart man- doesn't need school.

Its " fool me once, shame on - shame on you. Fool me - you can't get fooled again."

Re:Meta review

[kelemvor4]

it's common practice to never use unexplainable magic numbers in cryptography standards, especially when those numbers are being chosen by intelligence agencies.

Well then, how do we explain the common practice of using magic numbers in cryptography standard, then?

Explainable magic numbers.

Re:Meta review

[Dan+Ost]

Because the designers of the Linux random number generator code designed things such that if RdRand is compromised, it doesn't reduce the strength of the random number generated. However, if it is not compromised, then the randomness is stronger.

Why should we give up a potential benefit if there is no possible harm?

Re:Meta review

[daremonai]

Iran is not a semitic country, by and large. The majority of the population is ethnic Persians who speak Farsi, an Indo-European language. The second largest group is the Azerbaijanis, who speak a Turkic language. I don't think the semitic population (mostly Arab and Assyrian) amounts to more than 10%.

Re:Meta review

[Carewolf]

Iranians are NOT semitic, they are Aryan, the name Iran literally means home of the Aryans. Named so because that is the one common thing that separates the various Iranian people from their semitic neighbours the Arabs.

Why is EC more secure than RSA?

[pikine]

Color me ignorant, but could someone please explain that elliptic curve is more secure than RSA? Wikipedia even claims that a 128-bit EC key is equivalent to 3072-bit RSA key. Even if it's computation complexity brute forcing discrete log or integer factorization on a non-deterministic turing machine, it should differ by no more than a small constant factor, e.g. 512-bit versus 1024-bit, not by O(sqrt(n)) as Wikipedia claims. Wikipedia is simply quoting NSA.

Re:Why is EC more secure than RSA?

The number field sieve relies on the smoothness of the integers modulo n. Using an elliptic curve group rather than the integers modulo n removes this smoothness, so the fastest algorithms available to determine the discrete logarithms are much slower (I believe they're based on Pollard's rho algorithm).

If that made no sense to you, go brush up on your number theory.

If you don't want to learn number theory, then accept that you are incapable of having an informed opinion on asymmetrical cryptography standards. (Which is okay, we can't all have an informed opinion on every issue; your brain can only hold so much stuff, right?)

Re:Why is EC more secure than RSA?

[gnasher719]

A 1024 bit RSA key can trivially be cracked in 2^512 operations. An algorithm that uses 2^341 operations (cube root) and involves no more than high school maths was found about 1975. Then we need to go into deep maths, but there are algorithms that are significantly faster, and there is no good reason to think that more progress couldn't be made. 128 vs 3072 is a bit much, but factoring 1024 bit numbers in 2^128 operations doesn't seem impossible.

Re:Why is EC more secure than RSA?

Public key cryptography is based on mathematical operations which are easy to do but difficult to do in reverse. For example, it is easy to multiply two big prime numbers, but it is difficult to factorize the product. There are multiple such easy-difficult pairs. Currently none of the supposedly difficult problems has been proven to be difficult. It is just assumed that they are difficult because nobody has found an easy way, but people are working on making the difficult problem easier to solve, and advances in that regard weaken the associated cryptographic systems. Significant advances have been made in solving the difficult problem at the heart of RSA (but it's not publicly broken yet.) That's the reason for the recommendation to switch to a different easy-difficult pair for public key cryptography. The different key sizes are the result of the kinds of numbers which form the public and private keys in these different algorithms.

Re:Why is EC more secure than RSA?

The discrete log problem on an elliptic curve is believed to be more computationally intensive than the discrete log problem in a ring of integers. For example, see http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866109-5/S0025-5718-1987-0866109-5.pdf and http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=F220DD223483B78B72C9CE243A62ADD7?doi=10.1.1.39.4125&rep=rep1&type=pdf

Re:Why is EC more secure than RSA?

[lordlod]

The elliptic-curve algorithm is much slower for future quantum based attacks. So it's future-proofing, which is required if you want your secrets to stay secret.

You could get similar results by adopting a 15000 bit RSA key... but that's getting rather large.

A paper with some classical and quantum time estimates, Elliptic-Curve vs RSA: http://arxiv.org/pdf/quant-ph/0301141v2.pdf

Re:hmmm

[TWiTfan]

The sad thing is that there is no way to ever put Humpty Dumpty back together again. The U.S. just permanently lost any position as a leading internet innovator. Nothing the U.S. leaders of industry can do now will ever earn back the trust of the rest of the world. No country or company in their right mind will ever trust a U.S. company with sensitive data ever again, and most of the companies that currently do are likely just biding time until they can find a non-U.S. based alternative (or some way to heavily encrypt their data).

Not shown to be good

Why are people even asking if it's been backdoored? It's already established that no one can explain the constants. It hasn't been shown to not be backdoored. That's enough to prove beyond the shadow of a doubt that it's wrong. Arguing about whether the standard is compromised by mere incompetence or malice, isn't worth spending time on.

If you don't know something is done right, then that alone is irrefutable proof that it has been done wrong. Even if they're good constants.

Re:Not shown to be good

[Chacharoo]

I wish the parent were modded up. It's the loss of trust that's the bottom line. The constants may well not be back-doored. Or they may be. But once the trust is gone, and there's no verification of how the numbers arose in the first place, it's already too late.

Re:hmmm

Yes, but they are using curve25519 which is not one of the curves recommended by NSA or NIST, and which does not have any unexplained magic numbers in its definition.

Replaced security with obscurity

The essence of what the NSA did, was to replace cryptographic security with security through obscurity. People who haven't found the back door yet don't know its there. Classic 'security via obscurity' that is the opposite of crypto.

Now everyone knows they're there, we need to replace them damn fast. Waiting for the backdoor to be verified is too late, by then bad actors (I mean ones other than General Alexander) could already have found it.

Replacing these takes time, and so the assumption should be they are vulnerable, because the NSA leaks show the NSA knows they are vulnerable, even if we don't quite know the micro detail of how, yet.

We owe our thanks to Mr. Snowden

[Taco+Cowboy]

... A list of people had to be complicit in getting these "magic backdoor" numbers into the standards. The integrity of these people is now highly questionable

This, and many other expose, can only come to light, because of the courage of a single person - Mr. Edward Snowden.

If not for Mr. Snowden, would we ever discover the phenomenon of the "magic number" ?

If not because of Mr. Snowden, we wouldn't even begin to question the integrity of those previously highly regarded "very important people".

If not for his courage, how much more damage all of us have to suffer ?

And yet, inside the United States of America, there are still people equating Mr. Snowden as though he is a traitor.

And even here in Slashdot, we have posters posting very stinging attack on Mr. Snowden.

Our country is under attack, and the attacker is our own government, but yet, there are still Americans who will do everything to help deepen the tyranny, all in the name of "patriotism".

I, an American citizen, do owe my deepest thanks to Mr. Edward Snowden, and I do hope that more of my fellow Americans should start acknowledge something very very wrong has happened to America, the country we love so much, and that we should start doing something together, to RIGHT THE WRONGS.

There have been too many comments that essentially convey the message that we, the People of America, have no power to determine our own future, and that our government, is so overwhelmingly powerful that we are ready to become their slaves, rather than stand up and oppose the tyranny.

Is America still the land of the free, and the home of the braves ?

Or has American turned into the land of the enslaved, and the home of the cowards ?

The choice is on your hand, my fellow Americans.

Either we start righting the wrongs now, or we will end up handing over to our children a country of tyranny.

Are we going to let our children suffer because of our cowardice ?

You are the only one who can answer the question.

Re:We owe our thanks to Mr. Snowden

[j3thr0]

Except that this came to light back in 2007. http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

Re:We owe our thanks to Mr. Snowden

[rvw]

Except that this came to light back in 2007.
http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

So why has nobody fixed this in the past six years? Thanks to Snowden it's back in the spotlight, and now it seems like action is being taken. That's his legacy. I thank him for that.

Re:We owe our thanks to Mr. Snowden

[IamTheRealMike]

That story is about Dual_EC_DRBG which was indeed strongly suspected of being an NSA back door back in 2007. Snowden confirmed the suspicion. However this story is not about that algorithm. It's about the SEC random curves that are used for signing and other crypto, not random number generation. There are two different algorithms under discussion here.

Re:We owe our thanks to Mr. Snowden

[lkcl]

if you've seen the film with nicholas cage, it highlighted for me for the very first time that the U.S. Constitution was written by some extremely fore-sighted people. there are specific words in it which not just permit but *OBLIGATE* you - each and every american citizen - to overthrow any government that has become tyrannical or otherwise lost its way.

given that america has such a significant hold over the rest of the world, *i* as a UK citizen am obligated to point this out to you, because by not doing so it will have an adverse effect (through erosion of sovereign rights of each and every country - erosion initiated by the corrupt U.S. Govt infrastructure) on *my* country to whom *i* hold allegiance.

so - get to it, americans - get your act together!

Re:We owe our thanks to Mr. Snowden

Before it came to light as a theoretical possibility. People could see that the possibility existed, however accusing the NSA of having used it would be accusing them of deliberately and knowingly weakening the security of systems designed to be used in defence of their country. That is a pretty serious accusation against people who essentially work for the military. Most people's belief in innocent until proven guilty made that a hard case to make.

Now, thanks to Snowdon, we know they have been weakening system security for their own convenience. Suddenly many people's old viewpoints have become obviously naive.

Re:We owe our thanks to Mr. Snowden

[mdielmann]

Wrong. The big problem is the government wants a way to see your data, unconditionally, whether or not you have ever done anything wrong, preferably without you knowing. Their willingness to store the keys somewhere, probably unsafely, for their convenience, rather than putting a back door that someone else might stumble upon is a very minor thing, comparatively.

The Clipper episode doesn't give you insight into technique, in this case. It gives you insight into intent.

Re:Reference?

[IamTheRealMike]

Sorry, I could have provided a link for that too. It was in the major Snowden story of last week that revealed the NSA was undermining public standards. The New York Times said this:

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

“Eventually, N.S.A. became the sole editor,” the memo says.

Although the NYT didn't explicitly name the bad standard, there's only one that fits the criteria given which is Dual_EC_DRBG.

Open letter to the NSA

[aaaaaaargh!]

Dear NSA,

Since I'm getting tired of these stories and it seems kind of unfair that you're getting all the heat recently, here is my suggestion how you could improve your PR image by doing something to our mutual benefit:

Please use your supercomputers for a few months to aggressively mine Bitcoins and Litecoins. That would make you (virtually) richer than you already are and free me and the rest of the world in future from annoying Bitcoin-mining stories.

If you like this idea, consider donating some Bitcoins to me. You know where to find me.

Thank you for your attention and best regards,

aaaaaaargh!

Re:Open letter to the NSA

They are ALL open letters to the NSA.

Re:Reference?

[afidel]

Bruce Schneier talked about DRBG being a probable backdoor back in 2007.

Justified paranoia

[return+42]

I think we are all going to have to be a lot more paranoid from now on about the public comments NIST gets on crypto standards. We can count on NSA to continue to try to mess with the standards, but they won't do it openly. They'll use proxies with no traceable connection to NSA. The crypto experts will have to examine these things a lot more carefully. Hanlon's razor won't cut it anymore.

Not paranoid *enough* ?

[pla]

I only see people discussing the first-level implications to privacy and security of the NSA having chosen parameters that lead to a somehow-weak curve. Except - That doesn't take any special NSA magic, they just cheated up front.

Such discussion completely overlooks the much bigger problem here, however - The NSA chose parameters that give a weaker curve. Parameters generated as the output of hashing them with SHA1.

The ability to choose parameters strongly suggests that the NSA has a way to produce input texts that yield a desired SHA1 hash. That takes special NSA magic, and should really count as the FP story here, not the far less impressive trick of stacking the deck in their favor.

Re:Isn't it time we take back our own country ?

[meta-monkey]

I nominate Anonymous Coward.

Re:Is Bitcoin Vulnerable?

[Sique]

So for the NSA to kick out the really problematic implementations, the really secure ones, those they didn't find a backdoor in yet, the NSA will just recommend them?

Re:Isn't it time we take back our own country ?

[meta-monkey]

Because those are terrible ideas that will have zero effect.

The only way to beat a bureaucracy is at the polls, from the ground up:

1) download your local laws.

2) open in text editor.

3) hack to make them better.

4) get friends/randoms to run for city council with/for you based on those better laws.

5) campaign via social media/crowdfunding

6) win election. Enact laws. Acquire control of pre-built militarized police and tax money

7) use police to fight corruption, taxes to promote education, civic responsibility, transparent government

8) repeat for each city then county then state then nation.

9) ???

10) don't profit because you can't really take lobbying bribes for a distributed lawmaking system.

They know me

[Taco+Cowboy]

Thank you Mr. Taco Cowboy (if that's your real name). The FBI should be visiting soon. Please hide your dogs, for their own sake.

Almost every single time I posted a comment that hits the bull's eye someone would counter it with a veil threat, like the above.

FYI, they know who I am.

I came from China, I am a naturalized citizen of the United States of America, and I am currently not living inside the U.S. of A.

In my younger days, I also was involved in some (still secret) military programs.

They have my dossier. They know where I am.

If they want to take me down, they can, any time.

But I am not important. I am expendable.

What is important is the future of my country, the United States of America.

As I said, I came from China, I had had first hand experienced the terror of Tyranny, with a capital "T".

What I, and millions of my former comrades in China had suffered through, I would NOT want you guys in America to go through.

The terror of Tyranny is much more than any Hollywood movie could ever convey.

Go ahead, threatening me more, if that is the thing that makes you feel good.

I have gone through the baptism of hell back when I was in China, death is nothing to be afraid of.

As I said, I am expendable, but the United States of America is not.

Re:hmmm

[joe_frisch]

I think that American users have more to fear from US government spying than foreign users do. Frankly I don't care if the Chinese government has access to all of my personal data - they have very little ability to or interest in interfering with my life. The US government on the other hand is much more likely to act against me in response to my (hypothetical) online mis-behavior. In the same way Chinese citizens have little to fear from the US government but a lot to fear from their own.

The very important exception to this is when you are dealing with industry trade secrets it is quite possible that foreign governments with links to industry represent a larger threat than your own. Of course while the NSA as an organization almost certainly does not sell trade secrets that they have obtained, it is possible that individuals working for the NSA might do so. Snowdon stole a bunch of information and turned it public, another man in the same situation might well have sold it.

Re:hmmm

[HornWumpus]

The Swiss recently sold all the numbered account holders that didn't open their accounts prior to 1950 down the river.

The old money families (Kennedys, DuPonts etc) got to keep their secret accounts secret. Everybody else got fucked.

And was on slashdot in 2007 as well

[gr8_phk]

http://it.slashdot.org/story/07/11/15/184204/new-nsa-approved-encryption-standard-may-contain-backdoor I remember at the time it seemed to be confirmed that there IS a backdoor. The question of weather anyone knew the magic numbers to open that door seemed obvious at the time as well - the NSA chose the numbers. It would go against everything they stand for NOT to have the keys.

Side note: Contrary to what some folks claim, this does not make the system weak against any foreign enemy, criminals, or hackers. It makes it weak only to the NSA so long as no one else discovers the master key. Not that this makes it ok, just not as bad as some claim.