Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Removes Dual_EC_DRBG From Random Number Generator Recommendations

Posted by Soulskill on from the cryptic-announcement dept.

hypnosec writes: "National Institute of Standards and Technology (NIST) has removed the much-criticized Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) from its draft guidance on random number generators following a period of public comment and review. The revised document retains three of the four previously available options for generating pseudorandom bits required to create secure cryptographic keys for encrypting data. NIST recommends that people using Dual_EC_DRBG should transition to one of the other three recommended algorithms as quickly as possible."

16 of 86 comments (clear)

  1. Trust... by Anonymous Coward · · Score: 3, Insightful

    ... So much more easily lost than won. How is anyone supposed to take these new recommendations seriously?

  2. Obligatory XKCD by Russ1642 · · Score: 3, Funny

    http://xkcd.com/221/

  3. OpenBSD has already removed it by Anonymous Coward · · Score: 2, Interesting

    OpenBSD has already removed that nonsensical algorithm from LibreSSL, has OpenSSL yet??? NOPE!!!!

  4. Not the only change by TechyImmigrant · · Score: 2, Interesting

    They also made many other changes. See appendix F of draft 1. I'm in the middle of reviewing them

    The announcement and RFC is here.
    The comments from the previous round addressed far more than just the Dual_EC_DRBG.

    There are structural issues in the spec. My comments on the previous draft address them:
    1) Flow control: ES pushing, vs conditioner pulling. Reseeding on demand vs when entropy is available.
    2) A purely software centric API, when all nondeterministic random number generators need a hardware component.
    3) Online testing that is too onerous for resource constrained solutions, when effective technical solution exists that have been ignored.
    4) Conditioners (really an SP800-90B thing, but A, B and C go hand in hand) are all single source conditioners based on large crypto functions. The current state of math tells us multiple input conditioners can be implemented with non cryptographic methods in fewer gates with higher lower-bounds for min entropy out.

    There's more. See the comments.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Not the only change by TechyImmigrant · · Score: 2

      Oops. I missed the link for the announcement.. here

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  5. Re:Cut off your nose to spite your face by erikkemperman · · Score: 5, Insightful

    NIST recommends that people using Dual_EC_DRBG should transition to one of the other three recommended algorithms as quickly as possible.

    Presumably GP worries that if one out of four options selected by this body is not just flawed but apparently deliberately subverted, what does that say about how well the other three were vetted?

    --
    Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
  6. What's the cost to use a real rng vs psudo by medv4380 · · Score: 2

    I know they can be a bit cost prohibited, but psudo RNG's always look like you're just waiting for them to eventually become broken. Are the real RNG's out there so cost prohibitive?

    1. Re:What's the cost to use a real rng vs psudo by TechyImmigrant · · Score: 2, Interesting

      >no one can know if Intel could have a backdoor into it.

      Except me and my colleagues, who have full visibility of it and know if a back door was put in it and no, a back door was not put in it.

      If there was a back door, it would only take one person out of several hundred of those people who would know, to tell the world about a backdoor. If there isn't a backdoor (which there isn't), then there's no back door to tell the world about.

      We are a company full of techies most of whom like open source principles and personal data security. So if there was a back door, you would find out about it because you could pretty much guarantee that someone would bleat, and justly so.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  7. Re:Cut off your nose to spite your face by fustakrakich · · Score: 2

    With any state authority these days, as their true nature slowly becomes exposed, you have to assume the worst.

    --
    “He’s not deformed, he’s just drunk!”
  8. Re:Cut off your nose to spite your face by erikkemperman · · Score: 4, Insightful

    Some people claim that it has a backdoor, but that isn't what has been proven. What has been proven is that a backdoor is possible with the technology and you wouldn't know either way.

    The difference is academic, but I suppose you mean as in this story about the proof of concept?

    An algorithm for which a backdoor is possible should be considered backdoored. Especially for crypto PRNGs. Anyway, taken in context, which is to say the RSA connection and those unexplained constants P and Q which you couldn't change in certified implementations.. Guess I'm inclined to being just slightly more paranoid these days.

    --
    Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
  9. Re:Cut off your nose to spite your face by cold+fjord · · Score: 5, Insightful

    The problem is that by assuming the worst you can go down the wrong path is the situation isn't in fact worst case. Consider the example of DES encryption. The NSA tweaked the S-box values before the standard was approved. Nobody outside of NSA knew why. Many people suspected some sort of backdoor, but nobody could find one. As a result of the suspicion there were people that refused to use DES. Eventually it emerged that NSA had strengthened DES against secret cryptanalysis techniques that weren't generally known at the time. Many of the people that refused to use DES ended up using encryption schemes that were vulnerable to the secret techniques because they assumed the worst and were wrong. DES held up remarkably well against attacks over time, including attacks that were either invented or reinvented long after DES was approved.

    --
    much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
  10. Re:Cut off your nose to spite your face by erikkemperman · · Score: 4, Insightful

    You go ahead and keep on using it. Meanwhile, for the rest if us, no proof is needed -- not in the sense that you insist is relevant. The theoretical possibility is enough to ditch this generator. That, and as kasperd and others point out, all those circumstantial bits of evidence... It must take real effort not to see it.

    --
    Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
  11. Re:Cut off your nose to spite your face by erikkemperman · · Score: 4, Interesting

    Operating by suspicion can be hazardous when it comes to encryption.

    I would argue that operating by suspicion should be the default when it comes to encryption.

    --
    Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
  12. Re:Cut off your nose to spite your face by David+Jao · · Score: 2

    I'm a crypto researcher specializing in elliptic curves. I don't think you understand the math behind Dual_EC_DRBG. The evidence that a backdoor exists is incontrovertible. The only question is who, if anyone, knows what the backdoor is.

  13. Re:Cut off your nose to spite your face by David+Jao · · Score: 2

    A deterministic random bit generator has no need for even a possiblility of a backdoor. Ever. We're not talking about encryption where there needs to be a backdoor so that one person (the legitimate recipient) can decrypt the communication. Also, most experts in the field, including myself, hold the subjective opinion that it is very unlikely there could be any innocent explanation for the existence of the possibility of a backdoor. There are many other much more straightforward designs for deterministic random bit generators that provably contain no possibility of a backdoor under standard number-theoretic assumptions. You cannot reasonably compare this situation to DES. Symmetric key cryptography doesn't come with security proofs. Public-key cryptography primitives are a completely different ballgame.

  14. Re:Cut off your nose to spite your face by sjames · · Score: 2

    No, but it does leave you wondering about the other things they recommended.