User: Password:
|
|
Subscribe / Log in / New account

A new Dual EC DRBG flaw

A new Dual EC DRBG flaw

Posted Jan 1, 2014 19:06 UTC (Wed) by jeff_marshall (subscriber, #49255)
In reply to: A new Dual EC DRBG flaw by jake
Parent article: A new Dual EC DRBG flaw

Jake - thanks for the prompt clarification.

SP800-90A actually includes several DRBG algorithms, and any given product is likely to only use one of them.

So Marquess's statement that SP800-90A is basically mandatory (most non-trivial uses of cryptography require a DRBG at some point and 140-2 Annex C allows the use of the SP800-90A DRBGs) shouldn't be taken to imply that Dual EC DRBG is also mandatory as one could chose to implement another algorithm from that SP.

Generally I think either CTR DRBG or HMAC DRBG from SP800-90A are more likely to be chosen than Dual EC DRBG depending upon whether the application also needs a hash or block cipher whose implementation can be used as a building block for the DRBG implementation.


(Log in to post comments)

A new Dual EC DRBG flaw

Posted Jan 1, 2014 21:09 UTC (Wed) by wahern (subscriber, #37304) [Link]

"Generally I think either CTR DRBG or HMAC DRBG from SP800-90A are more likely to be chosen than Dual EC DRBG depending upon whether the application also needs a hash or block cipher whose implementation can be used as a building block for the DRBG implementation."

As I commented earlier this year, before the Snowden RSA disclosure, all the NSA needed to do was lean on commercial vendors to use Dual_EC_DRBG as the default, as it apparently did with BSafe and perhaps others. That better alternatives existed in the standard was a ruse.

My Slashdot comment:

If the NSA was only concerned with open source cryptographic products and protocols, you would have a point. But aside from government procurement, NIST standards are in practice used to specify deliverables for corporate security products. Getting Duel_EC_DRBG into a NIST standard is the equivalent of putting a backdoor into an ISO standard for door locks.

Once in the standard, the NSA can then lean on vendors to use the broken algorithm, and the vast majority of users of that product would be none the wiser. Most corporate security products are opaque and proprietary, and the purchasing agents are unlikely to have a clue about the problem. All they want to see is "NIST-approved".

All we can do is conjecture, but I don't think the scenario is that outlandish. To my mind it seems more like standard operating procedure than unlikely conspiracy. The fact that the backdoor is clumsy reflects less on the carelessness of the NSA, and more on the exceptional skills of the civilian community. We're smarter now. The NSA has fewer tricks up its sleeve, but it's not like they can just quit and go home.

-- http://it.slashdot.org/comments.pl?sid=4090525&cid=44570807


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds