User: Password:
Subscribe / Log in / New account

OpenSSL could have implemented a non-backdoored version

OpenSSL could have implemented a non-backdoored version

Posted Jan 2, 2014 1:23 UTC (Thu) by Thue (subscriber, #14277)
Parent article: A new Dual EC DRBG flaw

> SP800-90A allows implementers to either use a set of compromised points or to generate their own. What almost all commentators have missed is that hidden away in the small print (and subsequently confirmed by our specific query) is that if you want to be FIPS 140-2 compliant you MUST use the compromised points. Several official statements including the NIST recommendation don't mention this at all and give the impression that alternative uncompromised points can be generated and used.

The standard does say on page 77

> One of the following NIST approved curves with associated points shall be used in applications requiring certification under [FIPS 140].

and it seems likely that this was what mandated the backdoored points.

But the standard actually also allows you to output less bits in the output function, on page 65. Using about half the X coordinate as output (instead of all but 16 bits) should actually also stop the backdoor attack. At least according to Certicom's Daniel Brown, who patented the backdoor for Dual EC DRBG in 2005, as well as ways to mitigate the backdoor. OpenSSL could actually have used an "outlen" parameter of about half the key length, which would probably have been safe.

2005 patent:

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds