Dual_EC_DRBG Backdoor: a Proof of Concept

New submitter Reliable Windmill sends this followup to the report that RSA took money from the NSA to use backdoored tech for random number generation in encryption software. From the article: "Dual_EC_DRBG is an pseudo-random number generator promoted by NIST in NIST SP 800-90A and created by NSA. This algorithm is problematic because it has been made mandatory by the FIPS norm (and should be implemented in every FIPS approved software) and some vendors even promoted this algorithm as first source of randomness in their applications. If you still believe Dual_EC_DRBG was not backdoored on purpose, please keep reading. ... It is quite obvious in light of the recent revelations from Snowden that this weakness was introduced by purpose by the NSA. It is very elegant and leaks its complete internal state in only 32 bytes of output, which is very impressive knowing it takes 32 bytes of input as a seed. It is obviously complete madness to use the reference implementation from NIST"

Bah

[colinrichardday]

Who can you trust?

Re:Bah

Trust is a weakness. In an ideal world, you can trust everyone. The harsh reality is that we don't live in an ideal world, and thus the ideal becomes different.

The richest countries in the world is rich BECAUSE of trustworthiness. So you gotta ask yourself: WHO profits from a country shooting its own feet?

Captcha: cashed

Re:Bah

[Mister+Liberty]

Whom?

Re:Bah

[MobSwatter]

Trust is a weakness for the world of spooks, not everyone lives in their world, but everyone seems to be a target for their affections at any cost...

Re:Bah

Ghostbusters!

Re:Bah

In the case of elliptic curve cryptography, trust those that specify exactly how they came up with the particular constants used. The NIST standard fails to do this.

Re:Bah

[plover]

Your argument makes no sense. You say that Snowden wouldn't have access, yet he clearly had access to hundreds of thousands of TOP SECRET classified documents. And suspicions were raised around Dual EC_DRBG was raised by Bruce Schneier and other cryptographers about 5 years ago, long before Snowden leaked a byte.

The backdoor remains an undemonstrated weakness, as nobody's actually published the key secret numbers that prove it can be exploited. But I am given to understand the math that points to the holes in the origin is pretty damning. Less convincing is "proof" that RSA took money from the NSA to support this algorithm. But given the other documents released by Snowden, and from other glimpses of the security snooping apparatus surrounding us (the reverse engineering of Stuxnet and related malware), there is nothing but support for these arguments.

Re:Bah

[davidhoude]

If I am not mistaken, Snowden did not have clearance to access these documents...making your point moot. He used stolen credentials to access the documents, credentials he was able to get due to his role as a sysadmin.

Re:Bah

[Darinbob]

There are top secret docs then there are Top Secret docs. Just because you can see some of them does not mean you have access to all documents, especially something that would likely be kept amongst a tight group of insiders.

Yes, we had suspicions in the passt, but no proof, and Snowden is not proof so far since we've seen no new evidence except for a claim from a journalist that Snowden told him something about it.

If true though, it also means whoever supported this in the NSA is guilty of treason for allowing such a trivial backdoor to exist exposing US security interests to everyone with a computer.

Re:Bah

[Luckyo]

Not so. As long as backdoor itself is tightly in the hands of NSA only, as it apparently still is, this is a massive advantage for US security interests.

Re:Bah

[HalAtWork]

Not Bob and Alice I guess!

Re:Bah

[davester666]

me! Send all your cash to PO Box 10, Cincinnati, OH 98543 Checks will also be accepted, just make them out to "Cash"

Re:Bah

[1s44c]

Theo de Raadt.

OpenBSD is trustworthy but you have to be suspicious of the BIOS it runs under and every network it connects to.

Re:Bah

[1s44c]

But the NSA left masses of top secret stuff lying around where Snowden could find it. You are wrong in saying he 'stumbled' across it though, he acted unethically and broke serious laws to serve what he saw as a greater good.

Re:Bah

[1s44c]

Only we can't know that. It's entirely possible that all this and more had been stolen from the NSA countless times before Snowden made their crappy internal security an undeniable fact.

If the Russians, Chinese, or who knows who else already got knowledge on how to exploit this weakness they would be quietly using it and we would never know.

Re:Bah

OpenBSD is trustworthy

What about the network over which you download it?

Re:Bah

[LoneWolf]

That "stolen credentials" story seems to be widely circulated but not much anchored in evidence. In fact, probably was originated from some NSA insider to discredit Snowden. A more detailed report to what happened comes from an article from Ars Technica. A very good read, by the way:

The National Security Agency’s oversharing problem
http://arstechnica.com/information-technology/2013/12/the-national-security-agencys-oversharing-problem/

Re:Bah

[jafiwam]

I don't trust the article for one. I'm as paranoid as everyone else around here, but I don't think the NSA cooperated with RSA to put in a backdoor here, no matter how much Saint Snowden claims. If they NSA had such a backdoor it would be an extremely well kept secret and not left around where any low level junior contractor like Snowden would stumble across it.

Go back and re-read how Snowden got to the position he did.

The "Darnbob" version for you folks that won't bother to learn anything: Snowden was a network admin / security guy. Therefore had access to lots of stuff as his job was about the security of those things not about those things.

Re: Bah

Hashes are your friend

Re: Bah

What about the network over which you download the file that contains those hashes?

Re: Bah

[1s44c]

What about the network over which you download the file that contains those hashes?

You could buy a CD but then you would say what about the postal system. I can't argue against you because you are right. But you have to make an assumption of trustworthiness somewhere.

Re:Bah

[Luckyo]

Possible? Yes. Likely? No.

Security is a process. Security subversion is also a process. All of them include risks. The point of both is to ensure that risk is acceptable in comparison to the action and its reward.

Re:Bah

[boristdog]

ANYONE who has ever been a network/sysadmin type can tell you that that position gets you the keys to the kingdom on day 1.

In the first week of my very first sysadmin job with a large gov't agency, in the days where I essentially knew NOTHING, had me sitting in the director's chair, after hours, working on his PC, with his passwords all hand-written on a post-it (by the director himself) in front of me.

Re:Bah

How can you say it's unethical and for the greater good at the same time? I think maybe you're one of those who conflates right and wrong with legal and illegal. Let me tell you: Legal does not make it right, and illegal does not make it wrong.

Another view on teh RSA / NSA thing...

[QuietLagoon]

RSA doesn’t quite deny undermining customers’ crypto

Reuters reported on Saturday that the NSA had secretly paid RSA Data Security $10 million to make a certain flawed algorithm the default in RSA’s BSAFE crypto toolkit, which many companies relied on. RSA issued a vehement but artfully worded quasi-denial. Let’s look at the story, and RSA’s denial....

Re:Another view on teh RSA / NSA thing...

[cold+fjord]

Doesn't really look like a "qasi-denial."

RSA Response to Media Claims Regarding NSA Relationship

Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security. .....

RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.

Re:Another view on teh RSA / NSA thing...

[thue]

You need to read it like a lawyer. Take the first claim for example

> Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

Note what is not denied:

* It is not denied that the contract existed
* It is not denied that they set Dual_EC_DRBG as default as a result of the contract
* It is not denied that the contract was secret (they do later deny that their relationship with NSA in general was not secret, which is correct, but does not preclude one contract from being secret)

They only thing they deny is that they knew that Dual_EC_DRBG contained a backdoor when they made the secret contract to set it as the default.

The same with their other non-denials.

Re:Another view on teh RSA / NSA thing...

[cold+fjord]

It short, your reading as a lawyer doesn't produce anything helpful in furthering the claim that they deliberately weakened RSA.

The didn't make a "non-denial." It appears to be quite explicit. I suggest following the link and reading the original.

Re:Another view on teh RSA / NSA thing...

[gargleblast]

They didn't make a "non-denial." It appears to be quite explicit.

The only thing explicit is that RSA denied a bunch of highly specific scenarios. Let me highlight one word:

Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.. We categorically deny this allegation.

Now change that one word to from "known" to "unknown". Did they deny that?

Plausible deniability. The only truth with a hole in it!

Re:Another view on teh RSA / NSA thing...

[cold+fjord]

Now change that one word to from "known" to "unknown". Did they deny that?

I can play that game too. Change that one word from "known" to "fried chicken recipe." Did they deny that?

Re:Another view on teh RSA / NSA thing...

It short, your reading as a lawyer doesn't produce anything helpful in furthering the claim that they deliberately weakened RSA.

At this point the burden of proof is on RSA, even without considering their past misdeeds. If they can't make a blanket denial, then we should believe that the scenario is "The NSA paid us to do something, to not ask why, and not tell anybody about it."

Re:Another view on teh RSA / NSA thing...

[cold+fjord]

I think at this point the burden is on you to read: "we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."

That seems pretty definitive to me.

Re:Another view on teh RSA / NSA thing...

[thue]

Many news articles in mainstream media have pointed out that it is a non-denial. If RSA Security was innocent, it would be the easy to just issue a new press release saying unambiguously that no contract existed. Why hasn't RSA Security done that?

Re:Another view on teh RSA / NSA thing...

[cold+fjord]

The question isn't whether they had a contract, but what the contract did. Did they conspire to introduce weaknesses into their product? They deny that. Claiming that if they don't deny there was a contract makes them "guilty" is playing games.

RSA Response to Media Claims Regarding NSA Relationship

Re:Another view on teh RSA / NSA thing...

[Luckyo]

When they "categorically deny weakining any RSA products" without all the caveats attached, it will be a denial. Until then, it's a denial of something that they weren't accused of, and not a word was said about what they were actually accused of.

We have plenty of examples of this kind of corporate speak in PR management, ranging from BP's fairly recent oil leak issue which was full of them to pretty much any other major industrial incident. We have people who spin this stuff for a living and make more doing so than 99% of population.

Re:Another view on teh RSA / NSA thing...

Out of curiosity, do you believe that they didn't conspire to introduce weaknesses into their product? If so, what's your line of reasoning that enables you to trust them at their word?

Re:Another view on teh RSA / NSA thing...

[WaywardGeek]

The crypto email list discussed this at length. People chimed in who remember when this happened. Here's my take away: EMC had just bought RSA, and was looking for profits, and many of the best and brightest at RSA had left. The NSA offered $10M to make their RNG the default in BSAFE, and no one at RSA could offer EMC management any compelling argument as to why they should not take the money. RSA issued a press release about it. There was no secrecy. Competitors thought it was foolish to take money from the NSA, and at the same time wondered how they could get onto this gravy train.

This is a case of typical incompetence. The response RSA published is slimy lawyer crapola. The lawyer sucks as bad as the incompetent EMC management. The good news is that there was no secret deal that RSA agreed to with the NSA to compromise all our security. The NSA did their job well. RSA didn't. I'll just point out that only crypto ignoramuses would accept closed-source un-auditable stuff from anyone when it comes to encryption, IMO. Money corrupts this industry.

Re:Another view on teh RSA / NSA thing...

[jafac]

RSA is very likely bound by a Non Disclosure Agreement. I would not expect them to EVER admit to this, unless or until a judge ordered them to do so, or ordered the NDA null and void.

Re:Another view on teh RSA / NSA thing...

[gargleblast]

The question isn't whether they had a contract, but what the contract did.

Holy freaking guacamole. WHAT CONTRACT? The question is, why did RSA do what they absolutely incontrovertibly did? And here is what they did: they included an NSA-backdoored crypto RNG in their BSAFE product and made it the default RNG. In other news, RSA pocketed $10M of NSA's money.

Claiming that if they don't deny there was a contract [that] makes them "guilty" is playing games.

If it's a game, it sure is a fun one. Those pinpoint denials leave them plenty of wiggle room to say "We didn't know. We didn't know because when we asked, the NSA said 'You don't want to know' ". Or, "It wasn't a 'secret contract', it was a 'gentleman's agreement' ". Or "We did not have sexual relations with that agency. They gave us a choice: buttfuck or backdoor ... helluva choice."

Now for god's sake please stop clinging to those ridiculous denials.

Re:Another view on teh RSA / NSA thing...

[TranquilVoid]

That's very different. "Fried chicken recipe" isn't of interest to the asker, but the RSA deliberately orchestrating the insertion of an unknown flaw certainly is. All your parent is saying is that they have denied a very specific allegation, and perhaps that allegation is over-specific and got some non-essential details wrong, allowing them to misleadingly deny it as a whole.

Re:Another view on teh RSA / NSA thing...

[1s44c]

If I hold a gun to your head and tell you to give me your wallet or I blow your brains out and you give me said wallet.. Well that's not a contract or a project.

If the NSA walk into RSA headquarters and tell the boss he and all his senior management are going down for a long time for tax evasion unless they use a NSA created random number generator.. Well that's not a contact or project either.

Re:Another view on teh RSA / NSA thing...

[1s44c]

Many news articles in mainstream media have pointed out that it is a non-denial. If RSA Security was innocent, it would be the easy to just issue a new press release saying unambiguously that no contract existed. Why hasn't RSA Security done that?

It doesn't have to have been done as part of a conventional contract. They would deny the contract exists and not that they did the thing in question.

RSA can't be trusted unless they use absolutely clear phrasing, and even they they could be lying under orders from the NSA.

Re:Another view on teh RSA / NSA thing...

[cold+fjord]

we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.

Could you point out the problems in that? Maybe you'll want to go back to the original post, follow the link, and read.

Re:Another view on teh RSA / NSA thing...

It just means their intention was not weakening it. Their intention probably was to take the money. Their stuff at that time probably did not have a proof it would make the product less secure. So they decided to use something from a questionable source. They were incompetent.

Re:Another view on teh RSA / NSA thing...

[complete+loony]

Or even suspected. They didn't deny that either.

Re:Another view on teh RSA / NSA thing...

[jafiwam]

I think at this point the burden is on you to read: "we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."

That seems pretty definitive to me.

Ah. The old "we didn't MEAN to do it" defense.

Works for any four year old.

Next up, "my baby din do nuffin!" defense. (Despite overwhelming evidence indicating they DID do it.)

Re:Another view on teh RSA / NSA thing...

[Luckyo]

After you remove the PR crap, the sentence becomes:
"We didn't intend on weakening RSA's products".

It's not a denial of the backdoor. It's also not a denial of making a contract with NSA to backdoor the algorithm. It's merely a denial of intention on higher levels.

Classic plausible deniability, denial that means nothing if definite proof of this leaks next. They can simply claim they didn't know.

Re:Another view on teh RSA / NSA thing...

"we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."

As a company, RSA's intentions are always to make money. What their clients' intentions may be are irrelevant, RSA (like any other company) enters into a contract to make money. There may be other advantages or disadvantages to said contract, but the reason for the contract is to make money.

If somebody sells me a ton of candy, their intention is to make money, not to give me tooth cavities, although the latter may be a predictable outcome.

Re:Another view on teh RSA / NSA thing...

[stdarg]

Any time you make a denial more specific than necessary to get the point across, it raises suspicion. I don't think you need to change the word "known" to "unknown" to make a point, the mere fact that "known" is in there is odd. Same with "secret" contract. Nobody cares if the contract was secret, or if there even was a contract vs a high level understanding or a backroom verbal agreement.

That said, the bit you quoted at the end ("we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.") is a pretty good denial. I'd still get rid of half of it... the extra verbiage of "entered into any contract or engaged in any project" is bad.

Overall, if RSA did have a secret contract, they're not going to just say "Yep ok we've been caught" so I agree that analyzing their denial doesn't add anything. They're going to deny it whether it's true or not.

No idea why you got downmodded so viciously in this thread!

Re:Another view on teh RSA / NSA thing...

I can play that game too.

Apparently you can't. Your example doesn't make sense. The parent poster's example does. Then again, nobody is surprised when you post crap like this. The question in my mind is why you appear to believe that anyone will fall for it. Hint: Very few do, and the ones you want to don't.

Re:Another view on teh RSA / NSA thing...

Its not a flaw, its a feature.

YES!

Excellent, proof now what happens?

Re:YES!

Someone creates an angry blog post and someone else submits a petition to change.org. Then nothing.

Re:YES!

And some people generate new key pairs

Re: YES!

[PC_THE_GREAT]

People use something else, until a new scandal crops up.

Re:YES!

The damage was already done. Whenever anything is mentioned about terrorism or child porn, I know it's just a coverup. I'm actually rooting for the terrorists now, whoever they are.

Re:YES!

I honestly don't see anything we can do but boycott RSA, but then what will change?.

We could demand they fix the flawed code but can you trust that it won't just be replaced with an even more clever piece of coding, the flaw is genius.

We could demand real privacy, but its a dream we lost that right once we became meshed in social media and the need to share.

We could demand limits on spying/collecting data, but what about the terrorists that want to hurt the US, so they need to hurt the rest of the world instead of working with them.

Safe encryption is hard to find their are new projects and pipeline projects that exist, and company's working on tier own in-house encryption.

Re:YES!

[MobSwatter]

Currency implosion, wouldn't worry so much about your paychecks not cashing, the oil peddling masters balls that you've been licking is contaminating water aquifers and rendering US soil uninhabitable so there won't be much food grown or water to drink to buy with a paycheck that doesn't cash anyway, genius.

Re:YES!

[GameboyRMH]

They are us. Some really bad people are slightly inconvenienced as a side-effect, but are by no means stopped (See: Tsarnaev brothers, zero evidence of attacks stopped by the NSA).

Re:YES!

[MobSwatter]

Philip Zimmerman, PGP. Older versions 6.5.8 might be okay, something open source. However there is all this worthless security infrastructure in place already that has been rooted. There needs to be compensation for fraud.

Re:YES!

[Will.Woodhull]

For a start, we could at this point reasonably demand that everyone who has accepted a salary from NSA be branded on the forehead with a scarlet letter, so that anyone with any sense would know not to hire them for any position involving trust. Let them work as street sweepers. As persons who sort garbage into different recycling streams. We know these persons cannot be trusted. Identify them, remove them from their current jobs, and place their names on a very public list of persons who cannot be entrusted with anything, in any endeavor.

There needs to be some amount of personal responsibility in the NSA, yet with the obvious exception of Snowden, there is no evidence of any such thing. One good place to start is to hold those who were involved in creating this monster accountable for ethical / moral turpitude.

Re:YES!

[dgatwood]

We could demand real privacy, but its a dream we lost that right once we became meshed in social media and the need to share.

That's a fallacy. I choose what I share on social media. Granted, I can't control what other people share about me, but that was just as true before social media; we just used to call it gossiping. That's why you have to be careful who you trust with things that you consider secret—keep your secrets secret and all that.

Re:YES!

That's a fallacy. I choose what I share on social media.

No you don't. Social media sites like Google+ and Facebook vacuum up information about you from everywhere, even things you never intended to be made public like links you've clicked on.

Re:YES!

[behrooz0az]

mod this isnightful.

Re:YES!

[Em+Adespoton]

That's a fallacy. I choose what I share on social media.

No you don't. Social media sites like Google+ and Facebook vacuum up information about you from everywhere, even things you never intended to be made public like links you've clicked on.

Indeed -- you choose what you share on social media (to a degree), but most people aren't aware of the value of what they're sharing in the first place, and they have almost no control over what is shared about them. This is not the same as gossiping, as gossip involves the game of telephone -- there's no documented evidence that it's true. But when a date-stamped geolocated image of you in a nightclub shows up on your friend's blog with facial recognition indicating that it's you in the picture, and you called in sick that day, that's not gossip; that's evidence -- especially since that photo can then be flagged up for people who are following YOU (including co-workers and possibly your boss), even though you had nothing to do with the publication of the photo.

And this is before we get into whether your privacy settings have been changed by the service host since the last time you reviewed them, and whether others who don't need to honor those settings have found anything interesting in "your" files hosted in an international cloud server system.

If you choose to share nothing on social media, then at least none of the links can be verified, and it's closer to gossip. As soon as you start to share anything though, the metadata is enough of a net to snag all the bits of data about you that are published by others.

Re:YES!

[deviated_prevert]

No you don't. Social media sites like Google+ and Facebook vacuum up information about you from everywhere, even things you never intended to be made public like links you've clicked on.

Which to the NSA is useless information overload, with RSA keys being easily hacked it leads down a completely different path than the average Joe on the net, I would think that the NSA is much more interested in targets of value. The fact is most people who use Google+ or Faceplant have nothing of any real value to be had especially for security agencies. If you are a consumer and all of a sudden your posting habits make advertising money for Brin and Zukerberg who gives a rats ass. Here we are with a bunch of so called information gurus telling us that are consuming habits are a valuable commodity. Personally I listen to Igor Stravinsky and if in watching and listening to a youtube vid suddenly Google comes back and advertises a concert somewhere of a performance of Le Sacre Du Printemps then good for them.

AND BY THE WAY nice shift off the topic and away from the bastards at the NSA subverting RSA keys and a not so cunning redirect to attack instead Google services as being somehow associated with the information sink hole in Washington that is the NSA.... If however I frequent neo nazi sites and post hate speech on the net then as far as I am concerned being on the radar of the NSA is not that bad a thing...UNLESS OF COURSE I AM A MORON WHITEY TIGHTY BORN AGAIN NAZI MYSELF OR A CLOSET TERRORIST.

However being much more concerned about my bodily fluids and essences, instead I am against the fluoridation of our precious water and bodily fluids. The encryption key is found in PURITY OF ESSENCE from which all things will be revealed. GOOGLE IS EVIL DON'T FORGET IT only through the use of Microsoft Windows and Bing can true encrypted PURITY OF ESSENCE be acheived. RSA keys the NSA have absolutely nothing to do with this thread. WOOOF

Re:YES!

We could also brand the asses of the sanctimonious jackasses around here who feel the need to impose their versions of integrity and morality on the rest of us. You and your ilk are assholes and, like all those who claim to own the high moral ground, are not as relevant as you think you are. But, you are smarter than most; all we need to do is just ask you.

We need another 15 stories of stale news about "teh NSA is bad; Snowden is a saint" so that you and the hive can express your indignation and outrage and thus make yourself feel superior to those you like to call "the sheeple."

Re:YES!

[cold+fjord]

I had hoped that Slashdot had mainly passed beyond the "nutter" phase after the "truthers" have mainly cleared out. Apparently that was over optimistic.

Re:YES!

[FishOuttaWater]

How many people work at the NSA? How many of them are involved in eavesdropping programs aimed at US citizens? Why don't we just make it easier and brand all government employees? Or all Americans?

Re:YES!

[MobSwatter]

Did you ever stop to think that the "sanctimonious irrelevant jackasses" around here might be striving for "sadistic prick of the year" when it comes to subject matter being discussed that attacks the integrity of their work?

Re:YES!

[Kremmy]

Isn't that what they're already doing?

Re:YES!

Uh buddy... it looks like you have a Scarlet Letter already. It's a 'g+' and it is glowing on the page. In the grey and green world of /. those g+ auths really stand out. It is like the scene from the movie 'Pleasantville' where the teens explode into color like so many little Adams and Eves.

That tiny red g+ seems to be looking at me like an eye which follows me around the room. It's like the old secret of master painters where they drill holes in paintings and stuff eyeballs into them.

[blink]SO IT GOES[/blink]

Re:YES!

mod this isfrightful.

Re:YES!

[Luckyo]

Correct. But you do not choose what is shared about you on social media. Which is what actually matters.

Re:YES!

[anagama]

The NSA is so busy building a haystack in which to search for needles, it misses the 100 ton girders with a Vegas scale neon sign pointing right at them.

Re:YES!

anyone with any sense would know not to hire them for any position involving trust.

I trust NSA employees to follow the boss's orders. Don't you?

Re:YES!

Said Slashdot's #1 Nutter. Go nutters!

Re:YES!

Delusional facist nutter his case.

Re:YES!

[Cramer]

OpenSource has nothing to do with it. Here we have (allegedly) a set of carefully crafted constants used in a crypto context. Without knowing why those specific numbers where chosen, or that they are, in fact, not "weak", everything using them, open and closed, is suspect.

(I would tend to agree the NSA -- having had their hands all over the thing -- do know the secret relationship between P and Q.)

Re:YES!

[Em+Adespoton]

No you don't. Social media sites like Google+ and Facebook vacuum up information about you from everywhere, even things you never intended to be made public like links you've clicked on.

Which to the NSA is useless information overload....

OK: first, you quoted the GP, who had a good point in responding to the GGP.

Second, NSA doesn't need to deal with this info directly, because Google and Facebook already do. They can just intercept the aggregate metadata, and drill down as needed, as they know where to go for the details. How do you think they know how to serve these companies with information requests? They already have the metadata, and can use it to request the information stored by others. Why is this pertinent to the topic? Because to intercept the aggregate metadata, they have to break the encrypted streams -- which often involves FIPS-regulated transactions, which means Dual EC DRBG is possibly a default seed, especially on RSA-based products.

What if you do believe?

Can you still read the linked article? Or am I not allowed? I can't tell anymore what is allowed under the law and what isn't, since the US Gov feels free to interpret the law as it chooses.

So just like xorshift64 then

xorshift64 is a simple random number generator with a period of 2**64 - 1 (you cannot use 0).
The 64 bit random number that it produces is the same as its complete state.

Re:So just like xorshift64 then

[thue]

I think the backdoored Dual_EC_DRBG still as forward security. xorshift64 doesn't have forward security, if nothing else then because the period is small enough that you can brute force search it.

Hmmm

[koan]

Meaning what? That encryption was good enough to keep likes of the NSA out even with their resources, and so they compromised it?
Or something even more insidious.

Re:Hmmm

[viperidaenz]

or they just wanted to make it easier/faster to break.

Re: Hmmm

[hoifelot]

Could you give an example of what you think would constitute "more insidious?

Re: Hmmm

That is what he said.

Re: Hmmm

[MobSwatter]

Business Intelligence, for the purpose of corporate espionage. You also have to take into consideration that the NSA does answer to someone, and that someone was corporate sponsored before they were even put on a ballot to be voted on. They were put up to this, and continuance of the program likely has little to do with terrorism as the program has proven fruitless even after intelligence information was given about events prior to them being given/developing these tools but they in fact failed to respond accordingly to prevent them, this includes 9/11.

Re: Hmmm

[koan]

http://boingboing.net/2013/12/31/jacob-appelbaums-must-watch.html

Re:Hmmm

[mikael]

With certain file encryption algorithms, they asked that the salt and/or hashed password were tacked on at the end of the file. That sped up decryption enough that their resources could decrypt the file, but not so much that anyone else could figure out it was compromised.

Re:Hmmm

[MobSwatter]

Yeah, like in milliseconds through injection of a secondary curve. How else could real time acquisition of voice/data be efficient enough to handle growth in traffic through the intertubes.

Re:Hmmm

[fatphil]

From the patent linked to from article:
"""
[0047] Escrow keys are known to have advantages in some contexts. They can provide a backup functionality. If a cryptographic key is lost, then data encrypted under that key is also lost. However, encryption keys are generally the output of random number generators. Therefore, if the ECRNG is used to generate the encryption key K, then it may be possible that the escrow key e can be used to recover the encryption key K. Escrow keys can provide other functionality, such as for use in a wiretap. In this case, trusted law enforcement agents may need to decrypt encrypted traffic of criminals, and to do this they may want to be able to use an escrow key to recover an encryption key.
"""

Re: Hmmm

The seed for the tcp sequence numbers of many systems are based on the hashed form of the admin or root password but the sequence numbers leak bits of the seed. Now if the seed for the hashed password is also weak, that means anyone who can watch packets of your system after a reboot can know your admin hash if not the plain text password.

Amish

shun anything electronic, or electric for that matter. Substinance farm and read dead-tree books for leasure.

Re: Amish

[hoifelot]

Trees are the new black!

Re:Amish

[Em+Adespoton]

shun anything electronic, or electric for that matter. Substinance farm and read dead-tree books for leasure.

Only read illuminated books though, not printed books. Otherwise, you're no better than the Luddites (who, while known for destroying printing presses and automated looms, weren't actually against the technology, just against it only being in the hands of the rich and powerful, to the detriment of the working class).

Re:Amish

[cold+fjord]

shun anything electronic, or electric for that matter. Substinance farm and read dead-tree books for leasure.

Spooked by NSA, Russia reverts to paper documents
Kremlin returns to typewriters to avoid computer leaks

Only one of the many "benefits" from the leaks, not to mention:

Snowden revelations lead Russia to push for more spying on its own people

Re: Amish

Trees are the new Red-black!

FTFY!

Re:Amish

The leaks were inevitable, even if Snowden wouldn't have leaked NSA would have hired someone else with morals sooner or later.
What caused this was NSA's illegal wiretapping, not the leak.

Also, why do you hate the people of America so much?

Re:Amish

shun anything electronic, or electric for that matter. Substinance farm and read dead-tree books for leasure.

You wouldn't be welcome, because the Amish actually value literacy.

Good article

[Okian+Warrior]

The link above is a very good introductory article on EC cryptography. If you know a little math but have no background in elliptic curves, this is a good introduction. Well worth reading.

Clearly explained at an introductory level, with Wikipedia links for the assumed terms.

Topical, singular (ie - it's the first one currently, a news "scoop" if you like), technical, and important.

Lots to like here - Slashdot needs more articles like this.

Re:Good article

[Wizel603]

Too bad I've already given up on Slashdot and left. Really, I'm not here. You don't see me.

Re:Good article

[ISoldat53]

Edward Frenkel's new book, "Love & Math" also has a good explanation of the math of elliptic curves that non mathematicians can understand.

Re:Good article

[neokushan]

Just to add to this, if you want a good primer on Elliptic Curve Cryptography in general (and not just this exploit), this article from Cloudflare is pretty great even if you don't have a mathematical background. It also explains RSA quite well, so it's a good general crypto primer:

http://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography

Re:Good article

[Em+Adespoton]

Too bad I've already given up on Slashdot and left. Really, I'm not here. You don't see me.

Weak are your Jedi powers, my son.

Re:Good article

[cbiltcliffe]

Hey.....did you guys hear something? I thought I heard a voice say something, but I couldn't quite hear what it was....

Re:Good article

[MobSwatter]

I think is what the powers that be behind the NSA directives, and it said, "Whose ur daddy, bitch?".

is RSA soon an open vault?

[hoifelot]

It seems to me that anything we thought were encrypted and could be, and was, considered secure in that embodiment, is soon subject to revelation. I'm no expert, but I'm losing faith in these algorithms. Please tell me it's going to be okay. PS: if you are NSA, I don't need your reassurances.

Re:is RSA soon an open vault?

[gnasher719]

It seems to me that anything we thought were encrypted and could be, and was, considered secure in that embodiment, is soon subject to revelation. I'm no expert, but I'm losing faith in these algorithms. Please tell me it's going to be okay. PS: if you are NSA, I don't need your reassurances.

Don't worry. It was known for quite a while that this algorithm _might_ have been backdoored. There are basically three possibilities:

1. The NSA didn't know that it could be backdoored when they created it. So there is no backdoor, and the NSA is kicking themselves for that missed opportunity, or for the embarrassment. 2. They knew about it, but intentionally didn't create a backdoor. 3. They knew about it and created a backdoor.

From looking at the algorithm, we cannot possibly know which one is the case. Obviously it would be totally insane to use this algorithm. But that _was_ known for quite some time.

Re: is RSA soon an open vault?

[hoifelot]

So what is a viable alternative, assuming one would like to maintain the private/public key feature?

Re: is RSA soon an open vault?

mandate the inclusion of a hardware random number generator in new series computers, with verifiable values for its randomness in sequences produced, and standards to which such devices need to conform.

really, such a thing could be sold in a USB keyfob form factor and be just fine. just use americium decay as the signal generator, similar to whats in a smoke detector. define it as a composite HID class, with a type descriptor and a virtual serial port.

from what I can see here, the flaw is not in the concept of public key, the flaw is in keypair deduction, based on the faulty random source. Replacing the radom sequence generator with one that produces really real random sequences would neatly solve the problem.

Re:is RSA soon an open vault?

[sjames]

But looking at it from a motivation standpoint, only option 3 would be worth paying $10 million for.

Re:is RSA soon an open vault?

[citizenr]

1. The NSA didn't know that it could be backdoored when they created it. So there is no backdoor, and the NSA is kicking themselves for that missed opportunity, or for the embarrassment. 2. They knew about it, but intentionally didn't create a backdoor. 3. They knew about it and created a backdoor.

From looking at the algorithm, we cannot possibly know which one is the case. Obviously it would be totally insane to use this algorithm. But that _was_ known for quite some time.

Except for the 10mil paid to RSA in secret and 2005 patent describing use of this algo for _this exact purpose_.

Re: is RSA soon an open vault?

with verifiable values for its randomness in sequences produced

Sorry, unfortumately that is mathematically impossible to verify.

Re: is RSA soon an open vault?

you cant guarantee "random".

you CAN give a confidence value that there is no correlation between any series of X number of values, however. (and by extension, any correlation of any X number of series. Randomness is not a property of a number, it is a property of a series. Because there is no such thing as a perfect detector, there will be biases, even in a fully hardware radio decay randomness generator. That is why you need a confidence over series length value. It describes how many random numbers you need to sample before you can start to see these biases, and then exploit them.)

that is how you would present such a value.

Re: is RSA soon an open vault?

for a example of this, look at a thrown pair of dice.

there are 6^2 combinations, but for certain summed values, there are multiple possible combinations, while for others there are only 1.

for instance "7", can be 6+1, 5+2, 3+4, and reciprocals.
for 2, there is only 1+1. so, you are 3x more likely to get a 7 than you are to get a 2 from thrown dice, even with ideal random conditions. (mechanically thrown, dice are perfectly balanced, etc.)

when you consider that a radio random source detector is the summation of radio induced excitations in that detector, the larger the detector is, the more likely that multiple events will occur, and this introduces biases, much like with the dice.

again, much like with the dice, you can give a confidence on the output. an output with a very large bias is undesirable, for obvious reasons.

Re: is RSA soon an open vault?

do not use any ciphers with EC in its name

OpenBSD

[McGruber]

Does this mean that OpenBSD has suffered a 3rd remote hole in its default installation? (http://it.slashdot.org/story/07/03/15/0045207/remote-exploit-discovered-for-openbsd)

(I don't understand the implications of Aris' blog above, so I'm hoping someone can explain it to me & other OpenBSD users.)

Re: OpenBSD

[Richard_at_work]

No, because OpenBSD doesn't just use this PRNG as the source of randomness for its encryption implementations, it has used other sources mixed in for a long time. There was a recent story about FreeBSD switching to other sources and De Raadt being all cocky about other people finally doing what OpenBSD has done for years.

Re: OpenBSD

[iggymanz]

that particular bug you link was fixed a week before it was found to be security vulnerability (at the time was known to cause crash)

http://marc.info/?l=openbsd-misc&m=117404837006368&w=2

Re: OpenBSD

Just to be clear: FreeBSD has been mixing sources of randomness for years too, the author of that article misread FreeBSD's announcement.

FIPS

[sunderland56]

FIPS is a large group of standards - literally, the Federal Information Processing Standards. Any requirement is not "mandated by FIPS", it is mandated by one particular standard - which may or may not apply to any contract.

FIPS 140-2 Annex C, for one, lists quite a few acceptable random number generators; for that standard, I see no requirement for Dual EC DRBG.

Re:FIPS

FIPS is a large group of standards - literally, the Federal Information Processing Standards. Any requirement is not "mandated by FIPS", it is mandated by one particular standard - which may or may not apply to any contract.

FIPS 140-2 Annex C, for one, lists quite a few acceptable random number generators; for that standard, I see no requirement for Dual EC DRBG.

There's still no requirement for Dual EC DRBG (so the summary is misleading) but Annex C is also somewhat misleading.

FIPS 140-2 is modified by SP 800-131A which describes algorithm transitions (see FIPS 140-2 Implementation Guidance G.14) and therefore any new FIPS 140-2 module submitted after Dec 31, 2013 can only use an RNG from the SP 800-90A standard; not any of the other RNGs listed in Annex C.

However SP 800-90A specifies four different DRBG algorithms, only one of them being the suspect Dual EC DRBG. So even today new modules aren't forced to use it. (And if fact I believe NIST posted a warning on their 140-2 website strongly recommending that people not use the Dual EC DRBG)

Re:FIPS

If I've been understanding the news releases lately RSA Inc. specificaly made this particular PRNG the default in its cipher suites sold to basically everyone. And they claimed that this was done to conform to FIPS compliance. So whether or not it really was required or not, doesn't matter. They convinced (or tricked) lots of people into using it by default.

Re:FIPS

Correct

it is one valid option to use, but not mandatory. There are multiple devices implemented out there, with FIPS certification, that do not implement this algorithm by default.

How long until someone cracks the backdoor key?

[gman003]

Actually read TFA, enough flew over my head that I can't personally verify the math, but if true, well holy fucking shit. Once someone brute-forces the backdoor "key" used by the NSA, it looks like the entire system is cracked. Even if it takes a while to brute-force, once you have that you can open any encryption using that curve.

Given that cracking this open would be so useful to both other monitoring agencies, and to criminal hackers, it's sure to happen eventually, if it hasn't already. I'm sure China could throw one of their supercomputers at it.

I'd be curious to know just how hard it would be to brute-force the backdoor key itself. There didn't seem to be anything in TFA about that, and I can't figure out the math myself.

Re:How long until someone cracks the backdoor key?

[gnasher719]

Actually read TFA, enough flew over my head that I can't personally verify the math, but if true, well holy fucking shit. Once someone brute-forces the backdoor "key" used by the NSA, it looks like the entire system is cracked. Even if it takes a while to brute-force, once you have that you can open any encryption using that curve.

It's quite possible that this cannot be brute forced. The only way is to create the back door at the time that the random number generator is created. In the end, that is the _first_ requirement: That an arbitrary attacker, given a complete description of the algorithm, cannot brute force it.

Re:How long until someone cracks the backdoor key?

[thue]

According to Dan Shumow and Niels Ferguson's 2007 presentation, finding the private key e corresponds to solving one instance of the elliptic curve discrete log problem, which is believed to be a very hard problem indeed, and probably not even doable for a any current supercomputer.

Re:How long until someone cracks the backdoor key?

(Hi. I'm the one Dan was replying to, from another thread. Proof on request, but /. mangles PGP signatures, amongst many other things.)

No, it'd take a Rho attack of 2^127.8 complexity to break that key. Not happening. Way more likely is that someone simply steals the key from the NSA - a daunting prospect - but not particularly useful if all you wanted to know is that there is a backdoor, not to actually use it. There is, and people have been pointing that out since 2006.

I was... surprised at Dan's response. I did not actually expect a response to noting that the backdoor in Dual_EC_DRBG was, and I'll quote myself here, "a backdoor that couldn't have been more obvious if you'd erected a flashing neon sign and driven a mounted parade with a marching band through it", because I didn't think anybody was in disagreement about that. Apparently I was wrong.

My own reply to him, pointing out that even if you mind your Ps & Qs (in the way that he patented, mind you), Dual_EC_DRBG still sucks: http://www.ietf.org/mail-archive/web/cfrg/current/msg03689.html

I don't have a reply to that yet. In all fairness, it has been the Christmas and New Year period, and it's been kind of a busy one this year, and there's some procedural things to sort out that are probably going to take some time (and input from the crowd here would probably only make things worse, right now). Meanwhile, we have recommendations to make about TLS - in short, use it, but for God's sake, turn off RC4 because it's shit and probably worse than the BEAST attack people tended to use it to avoid - and some new things to roll out with that before the big work on TLS 1.3; with encrypted ClientHellos and pinned certificates to stop random CAs impersonating sites high on the wishlist.

An update, by the way: after re-opening the comments period, having been openly informed of the Snowden disclosures (albeit years after cryptographers warned them), NIST have agreed to remove Dual_EC_DRBG from SP 800-90A. So that's something, at least.

/akr

Re:How long until someone cracks the backdoor key?

I'd be curious to know just how hard it would be to brute-force the backdoor key itself. There didn't seem to be anything in TFA about that, and I can't figure out the math myself.

Given that this was done by RSA+NSA, I assume they made it so hard its completely intractable. They know their stuff, and its in their interest to prevent it from being cracked. They could have botched it though, but that seems unlikely: they do have a majority of the world's cryptography budget on their side.

Re:How long until someone cracks the backdoor key?

[jader3rd]

It's quite possible that this cannot be brute forced. The only way is to create the back door at the time that the random number generator is created. In the end, that is the _first_ requirement: That an arbitrary attacker, given a complete description of the algorithm, cannot brute force it.

From what I understand the whole point of algorithms like this is that brute force is the only option (without knowing the key). If there was some other mathematical way of determining the key the hackers would use that; so the goal is to create an algorithm where the secret key has to either be known, or brute forced. The only way to find the secret key is to literally try every possible number and hope that the computer stumbles across the right one eventually.

Re:How long until someone cracks the backdoor key?

[MindStalker]

If its not doable how then did NSA supposed to have done it? Its not like they came up with the key at random then invented this algorithm to fit it, the fact that there is a backdoor key is a quirk of the mathematics.

Re:How long until someone cracks the backdoor key?

[MobSwatter]

Yep, nothing like doing security work and finding one's pants are already around your ankles.

Re:How long until someone cracks the backdoor key?

[gman003]

From my understanding, the ability to have *a* backdoor is a quirk of the math, but the "key" depends on the parameters of the elliptic curve. Those parameters for this specific implementation were written by the NSA (under the guise of their mandate to secure American communications) and standardized by NIST. TFA had a full proof of concept using parameters he had generated, which worked.

Re:How long until someone cracks the backdoor key?

[thue]

If you can choose P and e, then you can easily calculate Q=eP. It it only if you start with P and Q given that you can't find e.

Re:How long until someone cracks the backdoor key?

[Dr.+Blue]

If its not doable how then did NSA supposed to have done it? Its not like they came up with the key at random then invented this algorithm to fit it, the fact that there is a backdoor key is a quirk of the mathematics.

It's basically public-key crypto: you can create a keypair and publish the public key - that's essentially what this is, where the point Q in the Dual_CD_DRBG spec is really just a public key. There's a private key as well - it's far to expensive to compute it from the public key (basically 2^128 time), but they didn't have to do that since they generated the private key first.

And it's really not a "quirk of the mathematics" - it's really pretty straightforward if you understand elliptic curves, and it has been well-known how to do this since 2007 or earlier. I think a lot of academic cryptographers didn't really worry about it when Shumow and Ferguson pointed out the potential backdoor, because it's really a pretty crappy technique anyway - academic cryptographers, who quite frankly often don't know what is used in practice, assumed no one would use this. Then it turns out that RSA used it as the default tehnique in BSAFE. Oops.

Re:How long until someone cracks the backdoor key?

[cold+fjord]

I suggest anyone interested in this controversy read the following:

How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA

Although this is in regard to GCHQ, it probably applies to NSA as well: ‘We Can Trust GCHQ On Encryption’

Re:How long until someone cracks the backdoor key?

[deviated_prevert]

If you can choose P and e, then you can easily calculate Q=eP. It it only if you start with P and Q given that you can't find e.

Which only goes to show that one does not need to watch their Ps and Qs? I am very puzzled eeeeeeeeee!

This is pretty freaking huge, if true

Please, people who understand EC properly, verify & reproduce this ASAP. If so this is yet another thing (one the BIGGEST things) the NSA has denied about the content of the Snowden leaks.

Plus RSA needs to really step up and be honest about just what occurred inside their walls wrt. FIPS and this algorithm.

At this point, I think the longstanding rule that 'only a fool writes his own crypto' is getting weaker.. I would amend it to "only a fool writes his own crypto, or uses ones supplied by anyone without full, independent audit and full control over magic constants..."

Captcha: bilked

Re:This is pretty freaking huge, if true

[MobSwatter]

RSA needs to really step up and be honest about just what occurred inside their walls wrt. FIPS and this algorithm.

This will never happen if they were subject to the NSL, they would be legally bound from doing such.

Re:This is pretty freaking huge, if true

[Cramer]

They aren't going to admit shit, for purely financial reasons. (they'd be sued out of the solar system for this.)

Dual_EC is not mandatory

[jgreen1024]

Dual_EC_DRBG is *not* mandatory under FIPS 140-2. As of today (January 1), some of the older RNGs are no longer permitted for new FIPS validations, effectively leaving you with only SP800-90A (DRBG). However, there are four different DRBGs contained within 800-90A. Nothing says you need to implement all four of them. One is good enough. Out of the four, only one of them (Dual_EC) is considered suspect.

Re:Dual_EC is not mandatory

Thank goodness it wasn't actually mandatory, that's probably why, as it turns out, nobody using OpenSSL has even seen this bug which renders that implementation broken (if I read correctly):

http://marc.info/?l=openssl-announce&m=138747119822324&w=2

Pretty sad even independent of the NSA issue... the algorithm was so obscure or untrusted already that no one even noticed it's been broken in OpenSSL for a long time :/

The maths is easy for a fifth grader

If you want to check that its random, just sample the output, brute force it and see if it puts out the whole range of possible values in equal amounts

Re:The maths is easy for a fifth grader

[VortexCortex]

You moron. My PGP encrypted email passes the Diehard tests for randomness -- Doesn't mean it's actually random bits.

Re: The maths is easy for a fifth grader

Incorrect.

Randomness will assume a gaussian curve distribution, given enought samples, over sufficient time.

A generator algorithm that produces a uniform flat distribution would expose predictable patterns in output that could be exploited.

Re:The maths is easy for a fifth grader

[black3d]

And when you're done in 50000 years with our current supercomputers, let us know the results. The number of possible combinations is a bit over 170141183460469231731687303715884105728. Good luck with your bubble-sort.

Re: The maths is easy for a fifth grader

Um nope sorry, over time there may be bumps here and there but more time will flatten. If its a Gaussian curve its biased

Re: The maths is easy for a fifth grader

By that definition even this is random:

int rand()
{
        static int seed = 0;
        seed++;
        return seed;
}

Outputs full range of values? Check!
Must be random.

Re: The maths is easy for a fifth grader

there is no such thing as perfect randomness, even with hardware random generators. this is because there is no such thing as a perfect detector.

the location of the bias in the series, and the intensity of that bias, will vary from detector to detector, but this is still a fundamental aspect of the real world. This is balanced out, in that theoretically, there is no way to determine where the bias will manifest or to what extent, without plotting a *lot* of samples and burning a lot of time. (and in theory, since the bias itself is random, other devices of "identical" type will have different, random biases.)

a device that consistently produces a perfectly flat distribution with zero biases has to be flattening the biases of the detector. that means some algorithm is at work, and a measure of order is being introduced.

ideally, a random sequence will be flat.
in the real world, a random sequence will be ever so slightly gaussian, due to imperfections in the device which dont change between iterated numbers. you would need many billions of numbers to define this curve with a well made device, but it will be there.

Re: The maths is easy for a fifth grader

you are both wrong. a good random algorithm could assume any kind of probability distribution shaped execpt the single point. You have to do a lot more testing, including but not limited to, higher dimensional analysis. For a textbook example of that read on the RAND algorithm pushed by IBM many years ago

Re: The maths is easy for a fifth grader

http://en.wikipedia.org/wiki/RANDU

More interesting facts

[thue]

I have been adding various facts to the Wikipedia article on Dual_EC_DRBG. A good deal of the most interesting points have not been reported in mainstream media.

* The ANSI group which standardize Dual_EC_DRBG were aware of the potential for a backdoor.
* Three RSA Security employees were listed as being in that ANSI group, making RSA Security's claim innocence claim shaky, since it is less likely that RSA Security didn't know about the back door when NSA paid them $10 million to use Dual_EC_DRBG as default.
* Two Certicom members of the ANSI group wrote a patent which describes the backdoor in detail, and two ways to prevent it.
* Somehow the ways to prevent the backdoor only make it into the standard as non-default options.
* Somehow the people on the ANSI group forget to publicize the potential for a backdoor. Especially Daniel brown of Certicom (co-author of the patent), who also wrote an attempt at a mathematical security reduction for Dual_EC_DRBG, but somehow forgets to explicitly mention the backdoor. The conclusion in Brown's paper also seems very determined to hype Dual_EC_DRBG, whereas the other papers about Dual_EC_DRBG seem excited to hype the errors they find.
* The potential backdoor only becomes public knowledge in 2007.
* Daniel Brown writes in December 2013 that "I'm not sure if this was obvious." and "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se.".

Certicom is the main inventor and patent-holder for elliptic curve cryptography. The two Certicom employees failing to warn or prevent the backdoor they clearly know was possible doesn't reflect well on Certicom.

Re:More interesting facts

[thue]

> In short, as is the case with many conspiracy theories all you have is a collection of things that are suggestive, not definitive.

When you design a standard, one of the design criteria is that it does not allow for even a potential a backdoor. See fx https://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number . It is most definitive that Dual_EC_DRBG should never have been approved given the knowledge available at the time of how to prevent any possible backdoor.

Re:More interesting facts

By the way, did you hear that NSA "fiddled" with the DES standard? They made mysterious changes to the proposed S-boxes to the standard. Any idea what happened there?

The DES case is well understood: Wikipedia has a pretty good description of what happened. The S-Boxes were intentionally chosen to be optimal against differential cryptanalysis, which was not public knowledge for another 20 years, which seems like the NSA was making the algorithm stronger... but they also argued for a shorter key length, presumably because they wanted DES to be not too hard for them to break.

On Dual_EC_DRBG, the problem is that there are known ways to make it provably secure and they weren't used. That's a huge red flag and simply bad practice even if there isn't a backdoor. Magic numbers in cryptography are generally very suspect and as a rule should be chosen/used in a way to guarantee that they are not chosen to be weak.

Re:More interesting facts

[cold+fjord]

You exaggerate things, which is consistent with much of the discussion on this. I suggest reading the whole article at the link.

How a Crypto ‘Backdoor’ Pitted the Tech World Against the NSA

Jon Callas, the CTO of Silent Circle, whose company offers encrypted phone communication, delivered a different rump session talk at the Crypto conference in 2007 and saw the presentation by Shumow. He says he wasn’t alarmed by it at the time and still has doubts that what was exposed was actually a backdoor, in part because the algorithm is so badly done.

“If [NSA] spent $250 million weakening the standard and this is the best that they could do, then we have nothing to fear from them,” he says. “Because this was really ham-fisted. When you put on your conspiratorial hat about what the NSA would be doing, you would expect something more devious, Machiavellian and this thing is just laughably bad. This is Boris and Natasha sort of stuff.”

Indeed, the Microsoft presenters themselves — who declined to comment for this article — didn’t press the backdoor theory in their talk. They didn’t mention NSA at all, and went out of their way to avoid accusing NIST of anything. “WE ARE NOT SAYING: NIST intentionally put a back door in this PRNG,” read the last slide of their deck.

The Microsoft manager who spoke with WIRED on condition of anonymity thinks the provocative title of the 2007 presentation overstates the issue with the algorithm and is being misinterpreted — that perhaps reporters at the Times read something in a classified document showing that the NSA worked on the algorithm and pushed it through the standards process, and quickly took it as proof that the title of the 2007 talk had been right to call the weakness in the standard and algorithm a backdoor.

Re:More interesting facts

[cold+fjord]

The DES case is well understood

The DES case is well understood NOW. DES was at the subject of conspiracy theories, suspicion, and fear for nearly 20 years, just in the same way that this controversy is likely to go.

The ironic thing about the DES controversy is that it was secretly stronger than many people knew, not weaker, and there are people that adopted other far weaker encryption schemes out of fear and suspicion rather than use DES. The secret techniques that DES was hardened against made cracking many of those other encryption much easier. I wonder how many secrets were lost because people went to those other encryption methods that were vulnerable to the secret cryptanalysis techniques that DES was immune to?

Here is a though provoking piece for you: ‘We Can Trust GCHQ On Encryption’

Re:More interesting facts

I hope Certicom has their liability insurance paid up

Re:More interesting facts

Hey look well-known shill and whore cold fjord rides in to white knight the NSA.

Re:More interesting facts

[thue]

So an anonymous manager - manager! - thinks it isn't a big deal. They couldn't find an actual cryptographer to quote? While all the cryptographers do think it is a big deal. This is not an issue where there is real discussion. It is not me who are exaggerating, it is you who are understating the issue.

Re:More interesting facts

[cold+fjord]

While all the cryptographers do think it is a big deal.

Go back and read it again. The two that started this downplayed it in their own presentation: "WE ARE NOT SAYING: NIST intentionally put a back door in this PRNG" Good old Bruce didn't find anything in Snowden's leaks to show that the crypto had actually been subverted.

They think it is a big deal because they see the potential, but they can't prove that a backdoor actually exists. Nobody has proven that. This is a lot like the paranoia over NSA's changes to the S-boxes for DES. "They must have put in a backdoor," is what the advocates argued. 15 year later differential cryptanalysis broke a lot of ciphers, but not DES. Hmmmmm.... turns out NSA knew about it at the time and strengthened DES against it.

This is not an issue where there is real discussion.

Exactly! Far too many people are running in circles yelling, "Back door! Back door! Panic!" when there isn't proof of that, only suspicion, at best. Everyone should stop, take a deep breath, and reread all the background material. I see many inflated claims, but little that is solid.

It is not me who are exaggerating, it is you who are understating the issue.

What I see are a lot of inflated claims in one giant media echo chamber, each claim building on the other. But when you go to look at the foundations there is very little there.

Re:More interesting facts

The NSA has microsoft in their back pocket, of course they arent going to say anything idiot.

Re:More interesting facts

Hey, its spinmaster fjord. Play us another track.

Re:More interesting facts

By request

Re:More interesting facts

There absolutely is a demonstrable backdoor in the algorithm, maybe try reading the TFA. The only question is whether the NSA has the key for the specific constants specified in the standard - and if it doesn't, why would it bribe RSA to use a known defective algorithm?

Re:More interesting facts

I'd say that what sets this apart from the average conspiracy theory is that a) the incriminating facts are definite and b) the issue eventually came out into the open.
If anything, this case proves yet again that most conspiracy theories are bunk, precisely because it shows that these things when they actually happen cannot stay below the radar for that long.

Re:More interesting facts

The problem here is that these aren't S-boxes. This is trivial (and safe!) to rig and the ONLY reason to not do so is if you fear leaking the key.

I've been following your posting history for a while, btw, since defending NSA is little bit out of slashdot party-line (you don't say..). At some point you seemed to be a fairly intelligent person with opinions that simpy go counter the groupthink but you are walking on thin ice here. I'm starting to wonder whether you actually are what others claim you to be.

Re:More interesting facts

"White knight the NSA" is far too polite to describe cold fjord. Try "fellate the NSA in public."

Re:More interesting facts

[Cramer]

The simple fact that two of the designers patented solutions to address the backdoor, and in so doing, very clearly described the problem, is about as smoking gun as it gets without an HD bullet-time video of the gun actually being fired.

While we have no proof the NSA knows any secret constant, their involvement, the push to use it ("bribing" RSA), and a standard requiring their chosen constants, is very damning evidence, indeed.

The NSA is fucking stupid!

[LazLong]

So, they introduced a backdoor into software that can be/is used to secure US nuclear secrets, in the hopes only they would be able to take advantage of it? This is just another variant of "security through obscurity." Really, really fucking stupid!

Re:The NSA is fucking stupid!

[Darinbob]

I don't think they're that stupid. Which is why I doubt the Snowden revelations about this, either it's misinterpreted or misrepresented.

Re:The NSA is fucking stupid!

[fatphil]

The US nuclear secret is "00000000".

Re:The NSA is fucking stupid!

He's not kidding BTW.

http://www.todayifoundout.com/index.php/2013/11/nearly-two-decades-nuclear-launch-code-minuteman-silos-united-states-00000000/

Re:The NSA is fucking stupid!

[ArsenneLupin]

The backdoor is only useful if you have the "secret" key, i.e. the e such that Q^e=P . Working out e from P and Q is hard (discrete log problem). However, if you are in a position to pick the P and Q that will make it into the standard, you just pick up any Q and e of your liking, keep e secret to yourself, and hand out Q and the P derived from Q and e.

So, only the NSA, and maybe people having managed to steal e from the NSA would be able to take advantage of this back door.

Re:The NSA is fucking stupid!

never underestimate the hubris and arrogance of the US Government. 20 years of Hegemony messes with ones ability to know when to leave things alone.

Nice maths

If it takes 50000 year's with today's computing power, and if we apply Moore's law to that, then wouldn't you have to divide remaining number of years by say 2 every 2 years? So wouldn't your impressive 50K turn into 30 years? Years = (Years - 2 / 2) until Years 0 would only give you 15 iterations.

Re:Nice maths

[black3d]

No, not really - and as I was writing it I thought "I bet someone's gonna bring Moore's Law into this and then I'm going to have to explain". So I'll explain - the 50,000 years was a figure thrown out there. Really, as long at time taken > life expectancy, OP won't be able to find a result. The actual time to perform that many encryption cycles would be in the millions of years. If Moore's Law progresses over time that would certainly be brought down, but not within OPs lifetime. Then you've got to compare the data set. Nevermind that physically storing that many 32-bit strings would take more atoms than exist on our planet. The point was simply that OPs suggestion was ridiculous.

Re:Nice maths

what if snowden has the key in question and it is locked away in his insurance file? maybe this is the deadman's trigger he has.

they snatch him up, the key gets leaked and every crypto string since 2007 done with this encryption schema gets leaked, and it would be all the NSA's fault for building the backdoor in the first place. makes it so only a suicidal fool would be stupid enough to black bag him. This would also explain why the US gov has tried so hard to either invalidate him, or apply soft power to make him turn himself in. They know he has them over a barrel and they don't know what to do in this situation.

RELIABLEWINDMILL

RELIABLEWINDMILL sounds like a project classification. Wonder who submitter is?

random(Dual_EC_DRBG())

[xeoron]

If you use more than 1 sequence of randomness while using the required standard, is that code viewed as compliant?

Your assuming non quantum computer use

With quantum computers I would guess that this could become trivial with enough qubits

I'll stick with twofish,or AES256 then.

[mrflash818]

It is quite obvious in light of the recent revelations from Snowden that this weakness was introduced by purpose by the NSA. It is very elegant and leaks its complete internal state in only 32 bytes of output, which is very impressive knowing it takes 32 bytes of input as a seed.

I'll stick with twofish,or AES256 for my openssl and gpg stuff.

Re:I'll stick with twofish,or AES256 then.

Those aren't RNGs, but whatever man.

Re:I'll stick with twofish,or AES256 then.

[Desler]

What do either of those have to do with PRNGs?

I'll try to keep using OpenSSL then ; )

[mrflash818]

The silver lining seems to be that there's evidence no one has ever actually used Dual EC_DRBG in release versions of the OpenSSL module (though that in turn raises the question of why RSA's BSAFE crypto tool used the RNG by default). ...

The takeaway from Thursday's advisory is that Dual EC_DRBG has been formally banished from yet another widely used crypto platform (with RSA's BSAFE being the other one). Before bidding a formal farewell to the algorithm, it's worth mentioning that Dual EC_DRBG was suspiciously absent from Wednesday's report issued by President Obama's advisory panel on NSA surveillance. We would have expected to see at least passing mention of it in Appendix E of the full report, the section that disclosed the US government's role in forging encryption standards. Alas, there's none.

http://arstechnica.com/security/2013/12/nsas-broken-dual_ec-random-number-generator-has-a-fatal-bug-in-openssl/

Doesn't this legally invalidate FIPS?

Isn't FIPS something that has a legal requirement to be secure? Doesn't this by extension invalidate the security of FIPS?

I'll try to keep using GNUPG (gpg) then ; )

[mrflash818]

There are two distinct random generators available:

        The Continuously Seeded Pseudo Random Number Generator (CSPRNG), which is based on the classic GnuPG derived big pool implementation. Implemented in random/random-csprng.c and used by default.
        A FIPS approved ANSI X9.31 PRNG using AES with a 128 bit key. Implemented in random/random-fips.c and used if Libgcrypt is in FIPS mode.

http://www.gnupg.org/documentation/manuals/gcrypt/Random_002dNumber-Subsystem-Architecture.html#Random_002dNumber-Subsystem-Architecture

Traitors, the lot of them

I found the shill! You're also a jackboot licking, spineless, and wretched excuse for a human being.

You didn't read TFA or TFS or even The Fucking Headline. How is a publicly posted (on Github) proof-of-concept with accompanying explanation in detail (in TFA) "in the hands of the NSA only"? If you're actually concerned about foreign governments or terrorists, this sort of behavior is the most egregious possible: it makes ALL of us less safe. You think that China doesn't have cryptographers at least as good as this guy I've never heard of before? That which is in the power of one fool to do is also in the power of another. The bottom line is that those supposed to protect us shirked their duty. They are traitors. By paying money to promote an algorithm with a known backdoor as secure, for the use of the very citizens they protect, they actively aided the enemy. Hang them all.

aris@kalix86:~/dualec$ ./dual_ec_drbg_poc
s at start of generate:
E9B8FBCFCDC7BCB091D14A41A95AD68966AC18879ECC27519403B34231916485
[omitted: many output from openssl]
y coordinate at end of mul:
0663BC78276A258D2F422BE407F881AA51B8D2D82ECE31481DB69DFBC6C4D010
r in generate is:
96E8EBC0D507C39F3B5ED8C96E789CC3E6861E1DDFB9D4170D3D5FF68E242437
Random bits written:
000000000000000000000000000000000000000000000000000000000000
y coordinate at end of mul:
5F49D75753F59EA996774DD75E17D730051F93F6C4EB65951DED75A8FCD5D429
s in generate:
C64EAF10729061418EB280CCB288AD9D14707E005655FDD2277FC76EC173125E
[omitted: many output from openssl]
PRNG output: ebc0d507c39f3b5ed8c96e789cc3e6861e1ddfb9d4170d3d5ff68e242437449e
Found a match !
A_x: 96e8ebc0d507c39f3b5ed8c96e789cc3e6861e1ddfb9d4170d3d5ff68e242437
A_y: 0663bc78276a258d2f422be407f881aa51b8d2d82ece31481db69dfbc6c4d010
prediction: a3cbc223507c197ec2598e6cff61cab0d75f89a68ccffcb7097c09d3
Reviewed 65502 valid points (candidates for A)
PRNG output: a3cbc223507c197ec2598e6cff61cab0d75f89a68ccffcb7097c09d3

Re:Traitors, the lot of them

You didn't finish TFA either.

note: I did not break the official algorithm. I do not know the secret value used to compute the Q constant, and thus cannot break the default implementation. Only NSA (and people with access to the key) can exploit the PRNG weakness.

The point is if YOU are setting the default parameters (like the author of article did), you can insert a backdoor. To find that backdoor as a thrid party, you'd have to spend $(longer_than_plausible) bruteforcing it.

This is true with many algorithms, that's why authors usually choose constants that show they were not constructed to have some specific properties in this algorithm, like first 64 bits of Pi, or square root of 2, or natural logarithm of 10, or...

NSA doesn't say _how_ they chose constants for Dual_EC, therefore, if you're properly paranoid (as you should be if you want security), only sane assumption is that it _is_ backdoored. If you're not paranoid, the assumption should be that chances of backdoor in there is a lot >50% and therefore the algorithm's unusable.

I'm paranoid, scared and lost

ECC is spooky least with RSA there's not nearly so many highly creative ways to sabotage things.

Wouldn't be shocked to find out all this talk of using temporary EC keys for TLS PFS is exactly what NSA wants till the next Snowden leaks all popular curves in TLS were broke by NSA. In the future material for new curves should be required to be selected from next weeks lottery unless an NSA employee wins that lottery.

Lets not lose sight of what is really important. While Dual_EC_DRBG might well have been compromised chances are none of us have ever used it for anything... what we should really be paying attention to are worryingly high count f key collisions discovered from Internet wide certificate surveys. Something never explained.

Finally its a bit silly we are in a position to be afraid of random numbers. EE's spend quite a lot of time in school working margins so transistors operate predictably. When you flunk out of class by allowing a circuit to be influenced primarily by thermal noise you win real random numbers. Realizing current gen CPUs *finally* have hardware random number generators which nobody trusts..LOL... why has it not been a standard feature for all this time? Why all the decades of extremes to cook fake randomness no one was ever happy with.

Time to get distributed.net on the job

[Majik+Sheff]

If they aren't already, now would be the time to start putting the masses to work hunting down the NSA's special key. This is a nasty one, and the sooner we can use it to bludgeon the guilty parties the better.

Never trust an NSA douchebag

[CuteSteveJobs]

I trust Bruce Schneider. If he's a sleeper agent, they've put in so much effort it would seem churlish not to use him.

And really, I'd use Blowfish ahead of any NSA encraption algorithm or LOL AES. If history has a sense of irony, China will pwn the entire US IT infrastructure using NSA backdoors.

Re:Never trust an NSA douchebag

I trust Bruce Schneider. If he's a sleeper agent, they've put in so much effort it would seem churlish not to use him. And really, I'd use Blowfish ahead of any NSA encraption algorithm or LOL AES. If history has a sense of irony, China will pwn the entire US IT infrastructure using NSA backdoors.

Who the fuck is Bruce Schneider? If you're going to try to act knowledgeable, at least try not to fuck up the name of who you're idolizing. It makes you look stupid. It's Bruce Schneier. He even wrote Blowfish, your apparent encryption algorithm of choice.

Re:Never trust an NSA douchebag

[david_thornley]

FWIW, Bruce Schneier thought AES was fine to use, last I read him comment on it. There are weaknesses, but he didn't think they were of practical importance, and AES has been attacked hard by a large number of very intelligent people.

And don't forget about Big Telco Complicity

You think that private T1 or Metro Ethernet circuit is safe just because the data on it is supposedly not routed through the Internet???

Oh, you silly, naive children!

not RNGs

[mrflash818]

Good point.

not RNGs

[mrflash818]

True, good point.

I'm frightened to death ....

....that someday soon the NSA will let my wife know all about my secret affair with Rachel from Cardholder Services. What a bummer that would be.