This is an article about Dual_EC_DRBG.. [edit: the final algo was] published in June 2006, and criticized as insecure by the end of June 2006. Here's Schneier summary:
https://www.schneier.com/essay-198.html
Not only was it immediately criticized as being insecure, it's also slow.. I doubt anyone used this algo.. certainly, after 7 years of public criticism, anyone who used it would have replaced it by now.
Most notably apart from RSA is the "McAfee Firewall Enterprise Control Center" (who actually use RSA's library)
By ig1 12 years ago
So, when are we going to start seeing CVEs from these vendors, and updates to their software that disable this "feature"?
Cisco, Certicom, RSA, McAffee (via RSA), Juniper, Blackberry/RIM, OpenPeak, OpenSSL, Samsung, Symantec, Riverbed, Cummings Engineering, CoCo Communications, Kony, Lancope (via RSA), Mocana, Safenet, SafeLogic, Panzura, Microsoft, Thales e-Security, Catbird, ARX all list Dual_EC_DRBG as at least supported.
Of these, RSA (and presumably the others based on their, like McAffee and Lancope), Thales e-Security, and possibly Microsoft (Windows Server 2008 R2 lists only Dual_EC_DRBG, though its possible that that's just their only FIPS compliant one and they use some non-standard algorithm by default) seem to use Dual_EC_DRBG by default or as the only option. I haven't tried finding documentation on all of these to see if they say what their default algorithm is, so it may be more.
edit to add: Found this discussion on the OpenSSL users list, about why they added it. Apparently it was because a paying customer requested it, thought the customer is not named for confidentiality reasons. OpenSSL doesn't appear to enable the NIST/FIPS random number generators unless you compile it in FIPS mode (at least, as far as I can tell from a quick, their build system is a bit weird, and FIPS mode is even stranger):
That tells you who has a certification for it. Note must people have certifications for multiple RNGs, including openssl (indeed a few of those modules are wrappers around openssl)
There is one company that only has a cert for EC_DRBG and thus can reasonably be inferred to be using it is Lancope, a network security/firewall company. For the rest of them, we don't know.
By anologwintermut 12 years ago
McAfee Firewall Enterprise Control Center only has dual EC_DRBG certified (despite the fact the RSA library they use supports others; strongly suggesting its what they actually use).
By ig1 12 years ago
"The default Pseudo Random Number Generator (PRNG) is the Dual EC-DRBG using a P256 curve with prediction resistance off."
... later ...
"Using a weak PRNG is inadvisable as it may allow attackers to predict the values of secret information such as session keys."
By jlgaddis 12 years ago
A few days ago, there was a lot of talk about how Tor has backdoors, because it is funded by the US Government.
The answer to that question is also here. You have the NIST, a government entity that is opposing another government entity, the NSA, because the former does not agree with the latter's practices. We should not forget that the government is not one cohesive entity and this is an example of that.
By thex86 12 years ago
Likewise, one should also remember, that no single entity is singular cohesive; that there are people working from within, even from within the "controversial" agencies, trying to make the places they work better for the country.
By taftster 12 years ago
There is certainly much good intention, more than is given credit for, in most government agencies. The reason I don't want to fund them to a great extent is that the bureaucracy of almost any large entity causes serious problems in inefficiency. I'd not want IBM running our government, and I don't want our federal government running our government.
By educating 12 years ago
People might be surprised at how much public-private cooperation goes on between businesses and government research entities like NIST.
In fact, an explicit part of NIST's role is filling in science that businesses need but can't do themselves.
NIST started out as the National Bureau of Standards. It sits in the Department of Commerce. Most of its activities are directed at tasks-- like standardizing measurements-- that businesses depend on, but are too small, or too balkanized, to do effectively on their own.
Unless, you know, you like every corner gas station having its own definition of "gallon", and every appliance manufacturer rating its offerings using different definitions of energy, and every steel producer specifying tensile strength according to its own test procedure.
Disclosure-- I had a post-doc at NIST in the late 1990s.
By dmlorenzetti 12 years ago
my buddy's mother-in-law makes $75 every hour on the internet. She has been without a job for seven months but last month her check was $17516 just working on the internet for a few hours. useful source...
Is the DEC PRG not the same as the Dual EC DRBG (also by Kelsey), or is the 2006 paper wrong about Dual EC being breakable on a desktop computer, or is there some other subtlety I'm missing? Because the conclusion Ferguson came to in '07 wasn't that Dual EC was bad because it was trivially breakable.
(Nobody I know of uses Dual-EC, and you shouldn't either).
By tptacek 12 years ago
The 2006 paper calls the Dual EC DRBG as DEC PRG. They're the same thing.
Their attack does work in the advertised time, but it a purely distinguishing attack, i.e., it tells you "this stream of random bits was generated by the DEC PRG". It does this by verifying that the number of 256-bit integers constructed using the 240 bits of the generator as least-significant bits are more often valid points on the P-256 curve than truly random 240-bit strings would. A 2007 paper extended this to predict bits.
EDIT: Actually, for the record, the first public attack on the generator was a predictor, in March 2006 [1]. Citing its conclusion:
"While the practical impact of these results are modest, it is hard to see how these flaws would be acceptable in a pseudo-random bit generator based on symmetric cryptographic primitives. They should not be accepted in a generator based on number-theoretic assumptions."
> Asked whether Microsoft would continue to use the encryption standard in some of its software, a spokesperson said the company "is evaluating NIST's recent recommendations and as always, will take the appropriate action to protect our customers."
Pretty funny, coming from an NSA partner company.
By frank_boyd 12 years ago
To the downvoters-instead-of-comment-leavers:
We know today that MS hands exploits over to the NSA.
Also, the likelihood that the NSA was allowed to integrate backdoors in MS Windows is extremely high.
How do you square that with "take the appropriate action to protect our customers"?
Additionally, backdoors/exploits can be used not only by their creators but also by others who find them, making MS's "protect the customers" claim even more ridiculous.
By frank_boyd 12 years ago
NSA is a customer, too.
By silentOpen 12 years ago
Did you notice circus arriving recently?
1. FBI Admits It Controlled Tor Servers Behind Mass Malware Attack (wired.com)
2. NIST "strongly" suggests dropping its own encryption standard (arstechnica.com)
3. No more CSS and HTML, just JS (ojjs.org)
By lelf 12 years ago
I can't figure out the relation between the third one and first two.
By z92 12 years ago
I don't understand the rationale to introduce such weakness. The NSA doesn't have the monopole of spying and cracking code. This weakens defense of USA's interest as well. This raises again the question if we can trust the people holding such power in their had.
By chmike 12 years ago
The NSA thinks that if they have a backdoor into everything and a way to access everything, then they can make US "secure", through offensive means.
Yeah, that's what you get when you have an agency run by an army general.
By devx 12 years ago
[deleted]
By 12 years ago
>The NSA declined to comment.
That's a shocker.
By meowface 12 years ago
Never Say Anything
By mey 12 years ago
People referred to them as "No Such Agency" for a long time. It's kind of nice to see how they went from extreme public obscurity to a household name; it's hard to stay clandestine when even Joe Nobody knows who you are and exactly what you do.
By meowface 12 years ago
> and exactly what you do.
No. We know some things they do. We don't know what else and how much they do.
By rbanffy 12 years ago
Sorry, I was somewhat ambiguous. I meant:
Now most of the general public knows the nature of their work and some of the details surrounding it.
By meowface 12 years ago
Hopefully that will accelerate its abolition.
By devx 12 years ago
You seriously want us to be SIGINT blind?
By saraid216 12 years ago
If our SIGINT collecting organizations can't do it without breaking the most important laws of our country, yes.
By alcari 12 years ago
Don't get excited, I'm sure that its successor has already been minted.
By epoxyhockey 12 years ago
It's unlikely that that would happen, unless we suddenly get a new president in the coming years who is unlike the rest and vehemently anti-domestic surveillance.
They might undergo some reform, but the government apparatus has been far too reliant on many aspects of their work to actually shut them down.
By meowface 12 years ago
That's because when they do, it often sounds just like a lie.
By teeja 12 years ago
Read it on Wikileaks next month.
By fnordfnordfnord 12 years ago
I "strongly suggest" everyone drops NIST's encryption standards as soon as there are viable alternatives to them. They can't be trusted ever again, and it's best to form another truly international security standards body, anyway, with ties to no government.
By devx 12 years ago
And how do you know the "independent" organization that comes up with the next encryption standard wasn't covertly influenced or controlled by a hostile entity[1]?
Public scrutiny and peer review are the best defenses, and the NIST did as much.
[1] IMHO, I'm far more concerned about China and Russia then the US.
By metric10 12 years ago
This. Seriously, their algorithms and mathematics are public and under constant scrutiny from the entire crytographic community. The vulnerabilities in RSA are known, sha already has a third version ready if a systemic weakness in 128->512 bit sha1/2 is revealed, and AES may require 512 bit keys for guaranteed security in the future, but seems solid.
They can't backdoor a math function because all 3 have been implemented by dozens of libraries and programs independently.
By zanny 12 years ago
AES is only defined for 128, 192, or 256 bit keys. You'd need to switch to a different block cipher like Blowfish (up to 448 bit keys), RC2 (up to 1024 bit keys), or RC5 (up to 2048 bit keys) to have a larger keyspace.
By msk5293 12 years ago
If Bruce Schneier thinks that strong symmetric crypto works (the math behind it is sound) I think I will also trust it.
The attacks are usually on the implementations or subverting the rng. Or plain old thermorectal cryptoanalysis - it obtains both symmetrical and asymmetrical keys in fixed time.
If Microsoft was seriously pissed and not fearful, they'd sic Microsoft Research on them.
Also Google, FB, Yahoo etc should provide grants so independent cryptologists can spend time to review and test encryption standards. They don't have to match NSA's budget...
By bsullivan01 12 years ago
> independent cryptologists can spend time to review and test encryption standards.
It's a small world. They need money to do their work. MS, Google, FB, Yahoo!, etc haven't been providing the funding or the jobs. GCHQ, NSA, etc have been providing money and jobs. It's too late - there are no independent cryptologists.
Maybe, but Google, Microsoft, FB and other top tech companies are even more connected to colleges than NSA. They know their top students and can easily lure them with grants and even prizes. I remember talking to PHD students having to live on $20K a year, imagine how a $50K grant and a possible $1 Million prize feels to him /her. If needed, tech companies as a whole can very easily outspend NSA, if they want to. Unless they do something, other than filing PR lawsuits, they have only themselves to blame.
(Of course the brightest mathematicians are used to fool people into clicking on ads. But that's another story.)
By bsullivan01 12 years ago
Yes, MS has very close tight links with Cambridge university.
> I remember talking to PHD students having to live on $20K a year
The spooks recruit before PHD if the person is good enough.
By rgbrenner 12 years ago
By jedbrown 12 years ago
By rgbrenner 12 years ago
By ig1 12 years ago
By lambda 12 years ago
By anologwintermut 12 years ago
By ig1 12 years ago
By jlgaddis 12 years ago
By thex86 12 years ago
By taftster 12 years ago
By educating 12 years ago
By dmlorenzetti 12 years ago
By Margaret12 12 years ago
By tptacek 12 years ago
By pbsd 12 years ago
By tptacek 12 years ago
By jlgaddis 12 years ago
By arthulia 12 years ago
By alcari 12 years ago
By jlarocco 12 years ago
By fejr 12 years ago
By frank_boyd 12 years ago
By frank_boyd 12 years ago
By silentOpen 12 years ago
By lelf 12 years ago
By z92 12 years ago
By chmike 12 years ago
By devx 12 years ago
By 12 years ago
By meowface 12 years ago
By mey 12 years ago
By meowface 12 years ago
By rbanffy 12 years ago
By meowface 12 years ago
By devx 12 years ago
By saraid216 12 years ago
By alcari 12 years ago
By epoxyhockey 12 years ago
By meowface 12 years ago
By teeja 12 years ago
By fnordfnordfnord 12 years ago
By devx 12 years ago
By metric10 12 years ago
By zanny 12 years ago
By msk5293 12 years ago
By venomsnake 12 years ago
By tedunangst 12 years ago
By devx 12 years ago
By ris 12 years ago
By 12 years ago
By bsullivan01 12 years ago
By DanBC 12 years ago
By bsullivan01 12 years ago
By DanBC 12 years ago