Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New NSA-Approved Encryption Standard May Contain Backdoor

Zonk posted more than 6 years ago | from the find-out-by-knocking dept.

Security 322

Hugh Pickens writes "Bruce Schneier has a story on Wired about the new official standard for random-number generators the NIST released this year that will likely be followed by software and hardware developers around the world. There are four different approved techniques (pdf), called DRBGs, or 'Deterministic Random Bit Generators' based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. The generator based on elliptic curves called Dual_EC_DRBG has been championed by the NSA and contains a weakness that can only be described as a backdoor. In a presentation at the CRYPTO 2007 conference (pdf) in August, Dan Shumow and Niels Ferguson showed that there are constants in the standard used to define the algorithm's elliptic curve that have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG."

cancel ×

322 comments

Sorry! There are no comments related to the filter you selected.

umm (4, Interesting)

superwiz (655733) | more than 6 years ago | (#21367509)

Don't look for malice where incompetence will do.

-- Napoleon

Re:umm (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21367573)

This is the NSA, not the FBI.

Re:umm (5, Insightful)

bhima (46039) | more than 6 years ago | (#21367599)

But this is the NSA we're talking about... Not the Bush administration.

Ummm, parent is right. (5, Interesting)

iknownuttin (1099999) | more than 6 years ago | (#21368165)

But this is the NSA we're talking about... Not the Bush administration.

I wish I could remember the show I saw. But the scientist (MIT, PhD scientist) was amazed at the intellect of the NSA folks who came to see him about his research. I can't remember who it was - it was a NOVA episode (but it stuck in my head because of his fear!). And after talking to friends who work with various internet security companies and defense contractors, I have to reiterate their opinion of these guys - they're really sharp. And as much as I like to disparage Government workers, these guys aren't to be trifled with.

And, as I was previewing, I noticed that the parent was moderated "Offtopic".

As an Offtopic note: 2 out of 3 down mods that I meta mod are unfair. Keep that in mind. It's really pissing me off.

Re:Ummm, parent is right. (2, Insightful)

failedlogic (627314) | more than 6 years ago | (#21368421)

If you find out the episode, please reply to this thread. I'd be interested in watching it (and its likely on Youtube which will make it easy to watch or my public library will have it).

Re:Ummm, parent is right. (0)

Anonymous Coward | more than 6 years ago | (#21368543)

Which is a shame because they are being used to to the bidding of a globalist interfering warmongering nation. Its hard to look up to these people in light of this.

Re:Ummm, parent is right. (3, Funny)

cayenne8 (626475) | more than 6 years ago | (#21368629)

Nah....they had to put a backdoor here in hopes of getting it adopted.

Turns out Vista doesn't have the uptake they thought it would...so, they really can't exploit the windows backdoor any longer...

They gotta try something!!

:-D

Re:Ummm, parent is right. (1)

non (130182) | more than 6 years ago | (#21368711)

perhaps you've heard of Robert Morris? [wikipedia.org]

Re:umm (3, Insightful)

niceone (992278) | more than 6 years ago | (#21367615)

Either way best not use Dual_EC_DRBG.

And if it is incompetence, in this case the malice can come later if anyone ever figures out the 'secret numbers'.

Re:umm (2, Insightful)

nuzak (959558) | more than 6 years ago | (#21367693)

> Either way best not use Dual_EC_DRBG.

I'm pretty sure that if they backdoored one, they backdoored them all. Best to not use any of the new algorithms, period.

Re:umm (4, Insightful)

bhima (46039) | more than 6 years ago | (#21367799)

How do you back door an Open algorithm you didn't design and don't distribute?

Re:umm (1)

0xygen (595606) | more than 6 years ago | (#21368193)

By successfully completing the "set up" stage of arranging the release of a new open algorithm by a third party?

Re:umm (2, Funny)

Anonymous Coward | more than 6 years ago | (#21367973)

1 2 3 4

Re:umm (1)

Damastus the WizLiz (935648) | more than 6 years ago | (#21368507)

5! you forgot the 5!

Re:umm (3, Funny)

cayenne8 (626475) | more than 6 years ago | (#21368687)

"5! you forgot the 5!"

Still..........I'd better go change the combination on my luggage....

Re:umm (3, Interesting)

someone1234 (830754) | more than 6 years ago | (#21367995)

The weakness of the encryption is not incompetence.
The incompetence is that they failed to hide it.

Already Found It (1)

Doc Ruby (173196) | more than 6 years ago | (#21368015)

Why bother looking, when the NSA's malicious incompetence (at respecting the Constitution - they're excellent at invading privacy) is already proven beyond doubt?

Don't look for excuses where criminal convictions will do much better.

Re:umm (1)

digitig (1056110) | more than 6 years ago | (#21368137)

When the backdoor has been exposed and they continue to promote it, I think the balance of probabilities begins to shift.

Re:umm (1)

WwWonka (545303) | more than 6 years ago | (#21368221)

...but don't ignore malice when malice has preceded incompetence past.
-me

Goatse links? (-1, Troll)

corifornia2 (1158503) | more than 6 years ago | (#21367565)

Anyone got some goatse links as the backdoor? Come on. Someone?

The answering machine (5, Interesting)

Verteiron (224042) | more than 6 years ago | (#21367567)

Anyone else reminded of the little Black Box from Sneakers? The one that used a mathematical backdoor to break any encryption based on a certain algorithm that was only used in the USA?

Re:The answering machine (4, Insightful)

Shakrai (717556) | more than 6 years ago | (#21368007)

Anyone else reminded of the little Black Box from Sneakers? The one that used a mathematical backdoor to break any encryption based on a certain algorithm that was only used in the USA?

More to the point, anyone else remember the premise of that movie? That said black box was utterly useless for doing anything other then spying on Americans, which (prior to Dubya anyway) was outside of the NSAs mandate.

Re:The answering machine (0)

Anonymous Coward | more than 6 years ago | (#21368275)

precisely. the chances China, Russia et al will use an encryption standard being promoted by a *US* authority is zero (let's not gloss over the fact that China, Russia et al have plenty of top-grade mathematicians who can work on their own algorithms).

The only people who would use the encryption standards would be your own people.

Re:The answering machine (1)

Dorceon (928997) | more than 6 years ago | (#21368431)

I remember that all River Phoenix wanted for his share of the reward was the phone number of the female NSA agent.

Re:The answering machine (1)

Shakrai (717556) | more than 6 years ago | (#21368603)

Yeah, but she was pretty fucking cute [wikipedia.org] ;)

Err, wait, wrong link [wikipedia.org] ... *duck*

Re:The answering machine (3, Interesting)

harryHenderson (729254) | more than 6 years ago | (#21368099)

Of course the truly paranoid individual would realize that the backdoor in Dual_ECD_RBG was merely an "obvious" decoy designed to herd us all onto the other three which also have backdoors. ;) (not to make light of what Mr. Schneier's point - the NSA has every reason to deny others effective cryptographic tools)

So, what's the sekret set of numbers? (-1, Troll)

AragornSonOfArathorn (454526) | more than 6 years ago | (#21367587)

I want to rob your bank. And your bank's bank. From the comfort of my bathroom.

Re:So, what's the sekret set of numbers? (1)

BlowHole666 (1152399) | more than 6 years ago | (#21367895)

Are you stating you are going to do that? *Dials 911 to report you and ask for a reward* :)

Re:So, what's the sekret set of numbers? (1)

AragornSonOfArathorn (454526) | more than 6 years ago | (#21367941)

I don't think you can preemptively call and ask for a reward for reporting a crime yet to be committed. Just for that, I *won't* rob your bank, out of spite. ;-)

Re:So, what's the sekret set of numbers? (1)

BlowHole666 (1152399) | more than 6 years ago | (#21367997)

Damn you!!!!

Re:So, what's the sekret set of numbers? (0)

Anonymous Coward | more than 6 years ago | (#21368049)

Go back to your xboxes idiots!

Re:So, what's the sekret set of numbers? (0)

Anonymous Coward | more than 6 years ago | (#21368561)

Funny, some dolt on Xbox Live told me to "go back to Slashdot, idiot!"

Ummm...encryption standard? (2, Interesting)

morgan_greywolf (835522) | more than 6 years ago | (#21367627)

Is what is essentially a random number generator really an 'encryption' standard? And if it's really a backdoor, don't you still need to know rather quite a bit more than the random number seeds to break something like AES or RSA?

Re:Ummm...encryption standard? (3, Informative)

orclevegam (940336) | more than 6 years ago | (#21367691)

This seems to be more an issue with something like SSL in which the security of the system is reliant on not being able to guess the next number out of the PRNG.

Re:Ummm...encryption standard? (5, Informative)

ioshhdflwuegfh (1067182) | more than 6 years ago | (#21367745)

What happens in the article is that one of the algorithms proposed by NSA for standardization contains possibly a major backdoor because the constants it uses to generate numbers are such that there might be other constants, unknown by looking at the algorithm itself but nevertheless possibly known to the authors at NSA that allow to get the whole generated sequence of numbers based on only 32 byte sequence of generated numbers. Maybe or maybe not, depending on whether there are such constants, which only NSA knows.

Re:Ummm...encryption standard? (5, Insightful)

starfishsystems (834319) | more than 6 years ago | (#21368021)

Randomness is absolutely at the heart of cryptography. So yes, to answer your question, it does matter.

If I can predict the value of a symmetric key, or the value whose two factors constitute an asymmetric key pair, I have effectively broken the encryption. Even supposing that I can't do this deterministically, but merely somewhat better than random, I'm still that much further ahead.

Re:Ummm...encryption standard? (0)

Anonymous Coward | more than 6 years ago | (#21368027)

Encryption and random numbers are two sides of the same coin. Any part of cyphertext that doesn't look like perfect randomness gives clues to the cleartext. Any non-random part of a key reduces the amount of work to "guess" the key. Therefore every cryptographic system needs a source of good random numbers, and quite a big amount of them.

One wonders what we can ever do right (0, Offtopic)

bogaboga (793279) | more than 6 years ago | (#21367687)

he generator based on elliptic curves called Dual_EC_DRBG has been has been championed by the NSA and contains a weakness that can only be described a backdoor.

As a person, I am not very surprised. Software can be hard to develop. But on the other hand, I wonder what we as a nation (USA) can ever get right.

When I thought we had [finally] got the Boeing 787 Dreamliner right, I was informed the execution of the whole project was flawed.

Result? The plane will be delayed by more than 6 months, not to mention that a big chunk of the plane is manufactured abroad. I continue to be disappointed.

Re:One wonders what we can ever do right (3, Insightful)

BlowHole666 (1152399) | more than 6 years ago | (#21367817)

Well I know one thing that is not right...your thinking. Perhaps you do not know about how engineering works? When you design something you design it to the best of your ability. If you notice a flaw, you fix it. You try and prepare for all known and unknown problems, but you are not going to catch them all. You are looking at specific examples and not at the whole picture. Yes maybe the 787 was flawed, maybe the NSA's choice is wrong. But what have we done right? Well you brought up airplanes lets see. The B2 bomber, that has a good trace record. How about the F16 it has never been shot down. Maybe the Mars rovers they appear to be doing quite well, and lasting longer then expected. So yes you win some and you loose some. Thats why it is engineering. If you had all the answers and knew all the potential problems then it would be called following the directions.

Re:One wonders what we can ever do right (0)

Anonymous Coward | more than 6 years ago | (#21367925)

Engineering: We did it like this before and it worked. So lets use it again in this slightly modified form...

Re:One wonders what we can ever do right (0, Offtopic)

Shakrai (717556) | more than 6 years ago | (#21368053)

How about the F16 it has never been shot down.

Uhh, ya wanna rethink [wikipedia.org] that?

Re:One wonders what we can ever do right (1)

BlowHole666 (1152399) | more than 6 years ago | (#21368225)

My bad F-15.

Re:One wonders what we can ever do right (1)

Shakrai (717556) | more than 6 years ago | (#21368291)

My bad F-15.

Wrong again. Two F-15Es were shot down by ground fire during the Gulf War.

(I'm not trying to give you too much shit, and I generally agree with American engineering being among the best in the World, but our technology isn't invulnerable either...)

Re:One wonders what we can ever do right (1)

BlowHole666 (1152399) | more than 6 years ago | (#21368369)

http://www.af.mil/news/story.asp?storyID=123008310/ [af.mil]

The Raptor will eventually replace the F-15 Eagle, an aircraft with an undefeated 104-0 combat record, according to Brig. Gen. Larry New, former 325th Fighter Wing commander.

You can not do too much about ground fire. But in a dog fight the F-15 does quite well.

Re:One wonders what we can ever do right (1, Offtopic)

Shakrai (717556) | more than 6 years ago | (#21368557)

But in a dog fight the F-15 does quite well

Yes, the F-15 has never been defeated in air to air combat. It's also never faced an opponent remotely close to it's own technological level. Nor has it ever faced a foe as well trained as the typical American or Israeli pilot. The F-15 has been "defeated" during exercises with allied powers, flying planes that are it's equal in technology, with pilots as well trained as ours.

Understand that I'm not bad mouthing it, because it's a beautiful and effective aircraft. I just don't think it's very fair to say it's never been shot down and use that as an example of how great American engineering is, when it's never faced a foe on equal terms.

Re:One wonders what we can ever do right (0)

Anonymous Coward | more than 6 years ago | (#21368497)

Maybe you should try inhaling dude. It's certainly not gonna hurt your memory!

Re:One wonders what we can ever do right (1)

MikeBabcock (65886) | more than 6 years ago | (#21368589)

The only aircraft I remember reading had never been shot down is the SR-71 Blackbird [wikipedia.org] , and I may be wrong about that.

That's a very impressive piece of technology from a long time ago too.

Re:One wonders what we can ever do right (1)

afidel (530433) | more than 6 years ago | (#21368343)

I think he meant in air to air combat, which is a true statement.

Re:One wonders what we can ever do right (1)

Shakrai (717556) | more than 6 years ago | (#21368411)

I think he meant in air to air combat, which is a true statement.

Is it? [f-16.net]

(And that's not what he said anyway)

Re:One wonders what we can ever do right (1)

AP2k (991160) | more than 6 years ago | (#21368475)

What you say is very true. However, you forget to mention the element of administration. Engineers can only work with tools, knowledge, and expertise they have. The administration overseeing the project cant always accomodate everything the engineer wants due to budget restrictions or sheer ignorance. Sometimes the design itself might be flawed in a way that was unforseeable in the past and it would then be uneconomical to go back and fix the problem at the present or the managers cant allow you the time to go back and fix it because of deadlines and whatnot.

Thankfully the "make or break" moment of a project doesnt always rest on the shoulders of the engineer.

Not the same thing (4, Insightful)

Moraelin (679338) | more than 6 years ago | (#21368227)

It's not the same thing. For a start, it's not even necessarily software. It's a mathematical algorithm.

So, yes, the implementation can be buggy, but for something like cryptography you'd at least expect the maths behind it to be rock-solid.

A lot of cryptography is based on stuff like that it's _far_ easier to multiply two prime numbers, than to find out which two large primes are the factors of a very large number. (I don't know this particular algorithm in TFA yet, so I used RSA as a simple example.) Once some maths guy has figured that out, and how it can be used, then the actual implementation in software tends to be actually very simple and straightforward. You just do one operation over and over again to encrypt the stuff, and another operation again and again to decrypt it. So even an error in the implementation is pretty inexcusable, because it's not a lot of code and you have a step-by-step description of exactly what to do.

Usually when an error in the implementation happens, it's not as much a programming bug, as the fact that (again) someone didn't understand the underlying maths and principles. E.g., I vaguely remember a disk encryption program which used a secure algorithm, but... had an invariable and huge block of known text at the beginning of it, which meant it was crackable anyway.

Anyway, to get back to the important part: it's not software, it's maths. Pure old-fashioned maths.

And... well, I'm not saying that that maths is easy. The average code monkey trying to invent encryption _will_ come with something ridiculously easy to crack.

But I'll say this: if the best and brightest mathematicians the NSA can find, still aren't competent enough, then I'd worry about the USA. I'm not even an American, and my attitude is somewhat anti-American (or at least anti-Bush), but even I in my crankiest hour wouldn't have _that_ bad an opinion of the USA.

To put it in perspective: something like this isn't like your average piece of code that someone typed on a Friday afternoon and never bothered to test. Something like this is bound to be reviewed by at least 2-3 other pairs of eyes before it becomes an official spec. So if they simply couldn't find anyone qualified enough to review it... I'd worry. A lot.

The conspiracy theory there is actually the _far_ more flattering alternative.

Your assumption... (0)

Anonymous Coward | more than 6 years ago | (#21368659)

...is that they didn't get this algorithm EXACTLY right.

From TFA: (5, Informative)

Spy der Mann (805235) | more than 6 years ago | (#21367697)

* WHAT WE ARE NOT SAYING:
NIST intentionally put a backdoor in this PRNG

* WHAT WE ARE SAYING:
The prediction resistance for this PRNG (as presented in NIST-SP800-90) is dependent on solving one instance of the elliptic curve discrete log problem.
(And we do not know if the algorithm designer knew this beforehand.)

On the last slide, the researchers add some suggestions:

Truncate off more than the top 16 bits of
the output block.
- Results on extractors from x coordinates of
EC points of prime curves suggest truncating
off the top bitlen/2 bits is reasonable.
* Generate a random point Q for each
instance of the PRNG.

Re:From TFA: (5, Interesting)

Saint Aardvark (159009) | more than 6 years ago | (#21367753)

And this bit from Bruce's article:

If this story leaves you confused, join the club. I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.

My recommendation, if you're in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances. If you have to use something in SP 800-90, use CTR_DRBG or Hash_DRBG.

In the meantime, both NIST and the NSA have some explaining to do.

Re:From TFA: (1)

ioshhdflwuegfh (1067182) | more than 6 years ago | (#21367835)

Yeah, the whole thing with Dual_EC_DRBG is very, um, secretive.

Lock the Trojan Horse in a Stable (4, Insightful)

Jeremiah Cornelius (137) | more than 6 years ago | (#21367891)

Strategy: Legerdemain.
  1. Close the obvious backdoor.
  2. Create the public perception that this has been dealt with - while the subtly flawed algorithms are used.
  3. Profit!

How Long? (1)

rwven (663186) | more than 6 years ago | (#21367703)

I wonder how long it'll be before that "skeleton key" becomes public knowledge and makes the entire encryption scheme more worthless than it already is.

Re:How Long? (1)

bhima (46039) | more than 6 years ago | (#21367911)

This is just one part of a well designed system and I'd say all of this part it is already useless.

I don't think you understand the meaning of (1)

WillAffleckUW (858324) | more than 6 years ago | (#21367707)

I don't think you understand the meaning of the word "may".

The correct word to use is "does".

javascript and AC (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21367713)

Anybody likes the "new comment interface"? It sucks. It seems that if you are an AC and you have disabled javascript (eliminates all google ads!), you have to click EVERY TIME to bring up the old interface. Fucking assholes or what?

T-shirts (5, Funny)

hoggoth (414195) | more than 6 years ago | (#21367733)

secret numbers appearing on T-shirts in Finland in 3.. 2.. 1..

Re:T-shirts (1)

cruff (171569) | more than 6 years ago | (#21367983)

It's obvious that the only secret number required is... 42!

What part of "NSA Approved" don't you understand? (2, Insightful)

second class skygod (242575) | more than 6 years ago | (#21367755)

They're in the business of national security. That's generally at odds with personal security and liberty. Those who would trust such a product from them are suckers.

--scsg

Re:What part of "NSA Approved" don't you understan (2, Funny)

arkane1234 (457605) | more than 6 years ago | (#21367937)

That would explain why SELinux isn't widely used.

Re:What part of "NSA Approved" don't you understan (4, Insightful)

kebes (861706) | more than 6 years ago | (#21368107)

They're in the business of national security. That's generally at odds with personal security and liberty. Those who would trust such a product from them are suckers.
The problem is that this flaw is a much bigger threat to national security than to personal security. These "official recommendations" from the NSA are used to form official policies and guidelines in just about every branch of government (FBI, CIA, DOD, etc.).

So, if the NSA was indeed intentionally creating a backdoor, then they were doing a disservice to the "national security" they are supposedly protecting. By allowing (encouraging, in fact) top-secret government data to be encrypted in this way, they would be making the nation's secrets quite vulnerable. By comparison, private citizens and corporations can use whatever encryption they like, regardless of NSA recommendations.

I suppose one could argue that the NSA thought that no one would figure it out, so that they (and they alone) would be able to break that encryption for all time (so that they can spy on other branches of the government?). I think a simpler explanation is that NSA just made a mistake in endorsing that algorithm, and never intended to threaten national security. Of course it will be interesting to see what position they take now that a flaw has been publicly identified.

Re:What part of "NSA Approved" don't you understan (0)

Anonymous Coward | more than 6 years ago | (#21368563)

I suppose one could argue that the NSA thought that no one would figure it out, so that they (and they alone) would be able to break that encryption for all time

I think this is very poor thinking. China, Russia et al have plenty of top-grade mathematicians, and governments with the resources to throw at trying to get the prize of being able to crack US encryption. Encouraging the wide deployment of an encryption algorithm that has a backdoor is only a good idea right up until the time other people figure out what the backdoor is. The day could conceivably come where foreign governments are decrypting "secure" US traffic faster than even the NSA can?

Re:What part of "NSA Approved" don't you understan (1)

Panaflex (13191) | more than 6 years ago | (#21368863)

Oh, gee, I don't know. How many countries out there can mass-produce millions of machines able to sieve RSA factors, brute force DSA keys, and generally out-compute our agencies at a fraction of the cost?

Nah.... not happening.

Fix (3, Informative)

daveschroeder (516195) | more than 6 years ago | (#21367761)

"It's possible to implement Dual_EC_DRBG in such a way as to protect it against this backdoor, by generating new constants with another secure random-number generator and then publishing the seed. This method is even in the NIST document, in Appendix A. "

Re:Fix (1)

ioshhdflwuegfh (1067182) | more than 6 years ago | (#21367901)

"It's possible to implement Dual_EC_DRBG in such a way as to protect it against this backdoor, by generating new constants with another secure random-number generator and then publishing the seed. This method is even in the NIST document, in Appendix A. "
Which then shifts the concern to whether the algorithm, regardless of constants, has been already broken by NSA.

Re:Fix (1)

daveschroeder (516195) | more than 6 years ago | (#21368001)

By that reasoning, that's a concern for ANY encryption standard, then.

A lot of people seem to forget that the NSA's only job isn't to "break codes". It's to also provide mechanisms that it believes CANNOT be easily broken to protect OUR OWN information. That's the other half [nsa.gov] of NSA's mission everyone seems to forget.

Re:Fix (1)

ioshhdflwuegfh (1067182) | more than 6 years ago | (#21368267)

By that reasoning, that's a concern for ANY encryption standard, then.
Exactly. Except that we still have mathematics to prove how hard things are to crack etc. Now, if it boils down to the problem of solving certain types of equations to figure the algorithm out, well then once this is done the algorithm is doing exactly the opposite of what is supposed to do. Even if it is not known how to solve such equations, there will definitely be in interest of any cryptographer to solve them.

A lot of people seem to forget that the NSA's only job isn't to "break codes". It's to also provide mechanisms that it believes CANNOT be easily broken to protect OUR OWN information. That's the other half of NSA's mission everyone seems to forget.
I'd rather believe to mathematics than to NSA. These two are not quite the same thing.

Re:Fix (1)

Penguinshit (591885) | more than 6 years ago | (#21368695)

But the other other half is the one which requires constant, close, scrutiny. Some people would rather we forget that.

And any encryption standard which is out-of-box broken is worthless, period.

Everyone who is not in NSA... (4, Interesting)

SlipperHat (1185737) | more than 6 years ago | (#21367773)

Should use the one that is hardest to break. If the NSA thinks elliptic curves are the best, only the NSA should use it. Let's see how happy they are having their own "unbreakable" code just for them.

Personally, I wish the NSA was a bit more chivalrous when it comes to these kind of things. If it is your **JOB** to break codes, why whine when people pick the one that is hardest to break. The rest of the world doesn't have the luxury to pick how hard their job gets to be, so why should you?

The NSA is like an anti-virus / a pharmaceutical company where a cure is only good if it's in the company's best interests. Not to say that anti-virus / pharmaceutical companies are not ethical. But there is a saying along the lines of "If you can't come up with the solution, there is good money to be made in the problem."

Give everyone the key (1)

jhRisk (1055806) | more than 6 years ago | (#21367803)

That's in fact the best way to defeat such backhanded efforts if they were intentional and not due to incompetence which thanks to chaos theory happened to create a seemingly planned back door. Offer the skeleton key freely to the masses disseminating it as much as possible thereby making the encryption scheme worthless. Without people using it it would do the NSA little good.

Re:Give everyone the key (5, Informative)

superwiz (655733) | more than 6 years ago | (#21367969)

Read the post above. Getting the key involves solving a discrete log problem for one instance of an elliptic curve. Discrete log problem is an unsolved mathematical problem. So its solution essentially (you mileage may vary slightly) requires brute force. Either NSA has a solution and was hoping the weakness would go unnoticed, or they don't have it. If they don't have it, no one will have it for a long time. These are more difficult to compute (and therefore more time consuming) than the traditional encryption schema (discrete log problems for Z/pZ). Now the question of whether you believe malice or incompetence is at play here is essentially up to you.

Re:Give everyone the key (1)

betterunixthanunix (980855) | more than 6 years ago | (#21368601)

The problem is that the backdoor is difficult to guess. The mathematicians who figured out the existence of the backdoor could only say that such a set of numbers exists, not what that set is. So unless you have some extra CPU cycles to put towards computing that...

Trust the Spies (5, Insightful)

Doc Ruby (173196) | more than 6 years ago | (#21367967)

The NSA is spying on all telecom signals passing through the US (including this message. Hi, Dick Cheney!). Despite the Constitution's prohibitions. Why would you trust them not to make your crypto crackable?

This situation shows one of the strongest arguments for open source. Trust no one.

Re:Trust the Spies (0)

Anonymous Coward | more than 6 years ago | (#21368087)

Message Title: Trust the Spies
From the comment: This situation shows one of the strongest arguments for open source. Trust no one.


Make up your mind. Trust the spies or trust no one?

Re:Trust the Spies (1)

Doc Ruby (173196) | more than 6 years ago | (#21368303)

"Trust the Spies" is the subject. My advice is "don't".

Don't trust any encryption (2, Insightful)

FranTaylor (164577) | more than 6 years ago | (#21367971)

Sessions can be recorded and cracked later when cpu is even more plentiful.

Encryption keys can be demanded by the government, they'll throw you in jail for not complying.

Keep your dirty laundry out of your computer.

The government doesn't think that your data is something that should be protected from unreasonable search, you shouldn't either.

Pfft (1)

sootman (158191) | more than 6 years ago | (#21368029)

All you need are more lava lamps. [wired.com]

I can't be the only one: (5, Interesting)

rilister (316428) | more than 6 years ago | (#21368037)

I can't be the only one who clicked on the link and was astonished to see:
"On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng - by Dan Shumow, Niels Ferguson, Microsoft"

Microsoft are exposing this? Are they funding the group making these kind of claims? If this was true, wouldn't this intensely annoy the NSA to have this exposed? Am I missing something here? .

- I see the disclaimer ("What we are NOT saying") where they seem to be saying - "No way did the NSA intentionally make this broken - maybe it was an errant developer and maybe they knew what they were doing", but it amounts to the same thing, surely?

Re:I can't be the only one: (4, Insightful)

jbf (30261) | more than 6 years ago | (#21368485)

Well I'm not surprised. Microsoft Research has tons of sharp security guys working there. Niels Ferguson is quite well-known in security circles. You don't get your company's name as an "author" unless your employees actually did the work; funding is not good enough. It might annoy the NSA, but academics don't care that much.

Nothing Up My Sleeve numbers... (0)

Anonymous Coward | more than 6 years ago | (#21368057)

This is why encryption algorith designer use Nothing Up My Sleeve numbers
http://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number [wikipedia.org]

Isn't this as dangerous as ms' non-random (1)

davidsyes (765062) | more than 6 years ago | (#21368069)

RNG problems in xp/2k? Isn't the POINT of encryption to defeat/make EXTREMELY difficult the work undertaken by snoops?

Maybe they need to listen to Mylene Farmer's "Fuck them all"...

"Fuck Them All" is better than any Madonna song...heheh

http://youtube.com/watch?v=3lcbkFcK-zY&feature=related [youtube.com]

"Hey bitch, you're not on the list. You wish. You suck. You bitch. What's your name again? Hey bitch, you're not on the list. You bitch, you're not on the list. You wish. You suck, you bitch."

Well, Pardon her French.

Re:Isn't this as dangerous as ms' non-random (1)

davidsyes (765062) | more than 6 years ago | (#21368271)

Or, her "Frenglish"?

Of course! Just look what they did with the telcos (1)

dircha (893383) | more than 6 years ago | (#21368105)

Just look what they did with the telcos. The administration knew that it couldn't just go and force the telcos to install their drag net hardware to sweep up each and every electronic communication of ordinary Americans.

So what did they do? Instead of ordering the telcos to do it, we now know that they paid them to do it.

Would it be at all surprising if we were to find that the Bush administration also plans to pay crypto hardware manufacturers to install backdoors to allow them to better snoop on ordinary Americans' encrypted information?

If anything, I'd be surprised if they hadn't thought of this.

Surprise! The NSA wants a key to your encryption (1)

mlwmohawk (801821) | more than 6 years ago | (#21368117)

Does the term "NSA Key" ring a bell for anyone?

It should come as no surprise that the NSA want to read your communications. The U.S.A. is the new oppressive state. Shredding the constitution at lightening speeds. Between spying, being labeled as an enemy combatant, gitmo, and rendition, could someone tell me why I should fear the terrorists more than my own government?

Hell, they want prison time for copyright violation, and they haven't even ironed out an exact definition of copyright infringement. "Fair Use" is too nebulous, so almost anyone with a browser cache can be arrested and threatened with jail time. Just think about how useful this is in making people shut up about things like the Iraq war, impeachment, and the worst president ever.

Gotta go, black helicopters circling

Re:Surprise! The NSA wants a key to your encryptio (1)

Isaac-Lew (623) | more than 6 years ago | (#21368409)

Does the term "NSA Key" ring a bell for anyone?

I'm not saying that there isn't/wasn't an NSA-requested backdoor in Windows, however I'm sure that they wouldn't make it obvious by calling it NSAKEY (most likely, it would have been sneaked in as an undocumented API).

Things we know we don't know. (5, Interesting)

ColaMan (37550) | more than 6 years ago | (#21368199)

The NSA is a lot more competent than you think.
Go google "NSA DES" sometime.

"The NSA was embroiled in controversy concerning its involvement in the creation of the Data Encryption Standard (DES), a standard and public block cipher used by the US government. During development by IBM in the 1970s, the NSA recommended changes to the algorithm. There was suspicion the agency had deliberately weakened the algorithm sufficiently to enable it to eavesdrop if required. The suspicions were that a critical component -- the so-called S-boxes -- had been altered to insert a "backdoor"; and that the key length had been reduced, making it easier for the NSA to discover the key using massive computing power, although it has since been observed that the changes in fact strengthened the algorithm against differential cryptanalysis, which was not publicly discovered until the late 1980s."

So they made some small changes to DES... then a *decade* later, the rest of the crypto world says, "Huh. We've just done the sums and that actually made it better."

Not to say that in this case they're just screwing with the algorithm though :-P

Clipper Chip (3, Informative)

starfishsystems (834319) | more than 6 years ago | (#21368213)

I'm getting a distinct feeling of déjà vu about this. Anyone remember the Clipper Chip [wikipedia.org] ? Key escrow? Same basic idea, and that proposal came out of the NSA as well. Only then the backdoor was explicit.

The crypto community spoke out strongly against it, and the proposal, despite having a great deal of political muscle behind it, did not fly very far. Another sensible reason for its failure to gain acceptance was that it would have had no chance of success on the international market. Even if domestic use could have been forced through legislation, let's say, no other nation with a clue would pick it up.

why included (1)

mugnyte (203225) | more than 6 years ago | (#21368233)


  I guessing the elliptical basis PRNG was only included to allow for a checkmark to be put on a list for the requirements - "ensure there is a simple method to bypass security for agencies that have clearance to do so" or similar. This smacks of a top-down request, mathematically, it's a ludicrous concept to rely on for practical considerations - if not because of its strength but for its speed in current implementations.

 

I doubt it is a backdoor. (1)

forgotten_my_nick (802929) | more than 6 years ago | (#21368249)

More likely it can already be easily cracked.

Or maybe they know we know that and are using a double bluff? or that could be a bluff as they will know that we know what they know we will know.

why put all your eggs in one basket? (3, Interesting)

Sloppy (14984) | more than 6 years ago | (#21368345)

I see how it could be a problem for embedded work. But on personal computers, which nowdays have tremendously abundant resources, why not use multiple algorithms and entropy sources to build your pool? (Yes, I know some systems already do this.) NSA may be able to predict one sequence, but they sure as hell can't predict a bunch of them, XORed. They'd need mathematicians to crack all the RNGs, have a camera on your lava lamp, a microphone listening to the room, a tap on your power line, etc. By the time they do all of that, they might as well have just asked you what your plaintext is.

Please, not again! (0)

Anonymous Coward | more than 6 years ago | (#21368365)

Enough said.

Nothing to see here... (1)

Seantotheizzo (1011799) | more than 6 years ago | (#21368463)

SHOCKING!

This is why (1)

steveoc (2661) | more than 6 years ago | (#21368613)

This is why when Im communicating with my business associates in Columbia, or reporting to my controller in Moscow .. we choose to always stick with the good old one time pad.

Tiny little yellow Post-it-notes still beats elliptical curves anyday.

Digital Fortress? (1)

smaddox (928261) | more than 6 years ago | (#21368631)

They totally got the idea from Digital Fortress [wikipedia.org] .

So does that mean the NSA really does have a 3 million processor supercomputer? I find the individually soldered in by hand part hard to believe (not to mention everything else in dan brown books).

Why is anyone surprised? (1)

i_want_you_to_throw_ (559379) | more than 6 years ago | (#21368683)

N.S.A. already owns the patent to DES and the whole point of that was have a backdoor when Clipper failed to pass.

You also know that N.I.S.T. [nist.gov] is a front for N.S.A. too right? Of course there's a backdoor.

This and other stories are available in the latest issue of DUH!

Digital Fortress (0)

Anonymous Coward | more than 6 years ago | (#21368755)

Has anyone read Digital Fortress ? All this sounds familiar !
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?