Roeckx: State of encryption
A lot of the algorithms depend on good random numbers. That is that the attacker can't guess what a (likely) random number you've selected. There have been many cases of bad RNG [random number generator] that then resulted in things getting broken. It's hard to tell from the output of most random number generators that they are secure or not. One important thing is that the RNGs gets seeded with random information (entropy) to begin with. If it gets no random information, very limited amount of possible inputs or information that is guessable as input it can appear to give random numbers, but they end up being predictable There have been many cases where this was broken."
Posted Sep 11, 2013 11:09 UTC (Wed)
by Seegras (guest, #20463)
[Link] (8 responses)
Bruce Schneier says: "Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can."
See here
Posted Sep 11, 2013 12:14 UTC (Wed)
by Otus (subscriber, #67685)
[Link] (7 responses)
Posted Sep 11, 2013 12:38 UTC (Wed)
by gidoca (subscriber, #62438)
[Link] (6 responses)
Posted Sep 11, 2013 15:43 UTC (Wed)
by Seegras (guest, #20463)
[Link]
To be fair, the NSA also supplied the S-boxes for DES, and it turned out years later that they made DES much stronger.
However, I think the NSA has gone over the dark side some time in the last few years. There was a paradigm shift from an "open" NSA in service of the public ("let's make everyone more secure, so our allies will be more secure too") to a cyberwar operation ("let's hoard exploits and subvert everything so we can attack everyone"). With "allies" I include all other US government agencies; with "everyone" also...
Posted Sep 11, 2013 17:29 UTC (Wed)
by intgr (subscriber, #39733)
[Link] (2 responses)
PRNGs are usually based on symmetric cryptography components (ciphers or hash functions), which are fast and straightforward. Conversely, elliptic curve math is used in public-key cryptography, which is relatively slow, but allows for separating private and public keys.
Why would anyone design a PRNG that's over 100 times slower than the rest, using techniques that are totally inappropriate to its problem domain? Techniques which are intended for two-party communication. Who's the "other party" to a PRNG? Well, it's the NSA of course!
Fortunately, due to its bad performance and complexity, the PRNG probably wasn't used in any significant places.
Posted Sep 11, 2013 23:25 UTC (Wed)
by brugolsky (guest, #28)
[Link] (1 responses)
"The default Pseudo Random Number Generator (PRNG) is the Dual EC-DRBG using a P256 curve with prediction resistance off." I didn't find an obvious link for the equivalent C/C++ library documentation, but the RSA BSAFE CNG
Cryptographic Primitives Library 1.0 FIPS 140-1 Security Policy document from RSA Security at the NIST site says (p.14): "The Module provides a default RNG, which is the Dual EC DRBG, using a P256 curve and SHA-256."
Additionally, the RSA BSAFE Crypto-C Micro-Edition 3.0.0.2 FIPS 140-1 Security Policy says (p.17):
"For R_FIPS140_MODE_FIPS140_ECC and
R_FIPS140_MODE_FIPS140_SSL_ECC, Crypto-C ME implements a Dual ECDRBG (Cert. #137) internally"
I'd be more than a bit wary of any product using RSA Security libraries.
Posted Sep 11, 2013 23:31 UTC (Wed)
by brugolsky (guest, #28)
[Link]
RSA Security BSAFE Share for Java 1.1
Posted Sep 11, 2013 17:54 UTC (Wed)
by lsl (subscriber, #86508)
[Link] (1 responses)
Bruce explained the statement over at his blog (in the comments). His reasoning was along the line of: there are constants involved and he has no idea how and why the designers arrived at those constants.
From that you can conclude to which ECC algorithms his suggestion applies.
Posted Sep 12, 2013 2:49 UTC (Thu)
by wahern (subscriber, #37304)
[Link]
Basically, Appendix A specifies the PRNG algorithm for generating the curve constants. You generate a seed and iteratively hash it with a counter. But the seed chosen which generated the specified constants is completely opaque. For all we know, the NSA tried billions of different seeds until one generated parameters to its liking within the odd 4096 iteration limit. Then they tied it up in a bow and handed it off to NIST.
Why limit the counter for each seed to 4096? It seems downright Rube Goldbergian. Why nobody found this fishy before is beyond me. Or maybe people did but the community couldn't bring itself to care.
The Open Source community should be using its own curves. DJB published a curve that he says is more secure _and_ faster. OpenSSL and libgcrypt should support this and other similar ones, as well as usher their addition into open standards.
Posted Sep 11, 2013 13:10 UTC (Wed)
by Lennie (subscriber, #49641)
[Link] (8 responses)
I found dieharder but it clearly isn't a 'run a few times and if everything passes life is good' tool.
For example I found out the Raspberry Pi has a hardware random number generator.
I took 3.1 GB of random data from the Raspberry Pi hardware random number generator (which isn't very fast or enough to prevent some tests rewinding the data) and it said 2 tests failed.
While the Linux 3.10 kernel /dev/random on my i7 desktop machine (no RdRand) with haveged running had 4 tests fail.
Does that mean I should trust the Raspberry Pi more ?
It just isn't that simple is it ? ;-)
Posted Sep 11, 2013 15:13 UTC (Wed)
by cesarb (subscriber, #6266)
[Link] (7 responses)
For instance, the popular cryptographic random number generator Yarrow (and its successor Fortuna, which is the one I would recommend) uses as its core a common block cipher in counter mode, with the state as the key. Good block ciphers have an output which are indistinguishable from random noise.
When a cryptographic RNG is broken, the problem is usually not with the part which generates the output, but with the state. If for instance some bug within the RNG causes the state to only have 65536 possible values, you cannot discover it by just looking at the output - it will look as random as the output of a working RNG, no matter which test you use. But if you know just *how* the state is broken, you will be able to guess it.
So, no, sorry, you cannot prove a cryptographic RNG as secure just by looking at its output. You really have to audit the code. A few test vectors help checking that it is implementing the algorithm correctly, but they cannot test the important part: that it is actually being seeded, and with enough bits of entropy.
Posted Sep 11, 2013 22:26 UTC (Wed)
by nix (subscriber, #2304)
[Link] (2 responses)
With the NSA's constants (be it the S-boxes provided for DES, or the NIST curves) we know none of this.
Posted Sep 12, 2013 14:37 UTC (Thu)
by robbe (guest, #16131)
[Link] (1 responses)
Posted Sep 16, 2013 16:56 UTC (Mon)
by nix (subscriber, #2304)
[Link]
Posted Sep 12, 2013 14:39 UTC (Thu)
by robbe (guest, #16131)
[Link] (3 responses)
Wouldn't a cycle length of 65536 be detected pretty easily?
Posted Sep 12, 2013 17:42 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
(PS: yes, it was actually caused by Kurt Roecxx, so you he's speaking from experience)
Posted Sep 12, 2013 18:00 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link]
I imagine the 65536 states would not include the previous output of the RNG, which is generally part of the input for the next round. Due to the feedback there wouldn't necessarily be an obvious cycle. However, given a part of the RNG's output, you would only have to search 2**15 values on average to find the state corresponding to that point in the stream, allowing you to predict all the RNG's output from that point on.
Posted Sep 12, 2013 18:49 UTC (Thu)
by wtanksleyjr (subscriber, #74601)
[Link]
Posted Sep 12, 2013 22:46 UTC (Thu)
by zooko (guest, #2589)
[Link]
* Matthew Green: http://blog.cryptographyengineering.com/2013/09/on-nsa.html
Posted Sep 16, 2013 5:38 UTC (Mon)
by glaesera (guest, #91429)
[Link] (1 responses)
Posted Sep 16, 2013 21:52 UTC (Mon)
by wahern (subscriber, #37304)
[Link]
They're also largely free from patent encumbrances because the algorithms and most of the tricks have been around for longer than 20 years.
Roeckx: State of encryption
http://www.wired.com/politics/security/commentary/securit...
And here:
http://rump2007.cr.yp.to/15-shumow.pdf
Roeckx: State of encryption
Roeckx: State of encryption
Roeckx: State of encryption
So there are specific seeds for NIST-standardized curves, that were supplied by the NSA. No explanations given.
Roeckx: State of encryption
Apparently, RSA Security BSAFE Share for Java 1.1 has DUAL_EC_DRBG as a default:RSA Security and DUAL_EC_DRBG
Oops, sorry, wrong link:RSA Security and DUAL_EC_DRBG
Roeckx: State of encryption
Roeckx: State of encryption
Roeckx: State of encryption
Roeckx: State of encryption
Roeckx: State of encryption
Roeckx: State of encryption
Roeckx: State of encryption
Roeckx: State of encryption
> 65536 possible values, you cannot discover it by just looking at the output
Roeckx: State of encryption
Roeckx: State of encryption
Roeckx: State of encryption
Roeckx: State of encryption
* Matthew Green's follow-up: http://blog.cryptographyengineering.com/2013/09/a-note-on...
* Bruce Schneier: https://www.schneier.com/blog/archives/2013/09/the_nsas_c...
* Bruce Schneier again: http://www.theguardian.com/commentisfree/2013/sep/05/gove...
* EFF recent blog post: https://www.eff.org/deeplinks/2013/08/tahoe-and-tor-build... (disclosure: that blog entry is praising my project — Tahoe-LAFS, so of *course* I think it is a good post!)
* EFF "surveillance self-defense" (precedes the Snowden leaks): https://ssd.eff.org/wire/protect
* Freedom Of The Press Foundation "Encryption Works": https://pressfreedomfoundation.org/encryption-works
Roeckx: State of encryption
Possible vulnerabilities to quantum-computer attacks are a minor issue, also it would be possible to use longer keys there, too, if necessary.
Roeckx: State of encryption