

NSA compromised Dual EC DRBG never actually worked in OpenSSL - dsl
http://marc.info/?l=openssl-announce&m=138747119822324&w=2&x=1

======
shalmanese
While it's funny that Dual_EC_DRGB was so maligned, this bug was not found
until the recent news, it's also disturbing that OpenSSL is so poorly tested
that a bug of this magnitude was allowed to slip through for so long.

~~~
wereHamster
> Why wasn't this bug caught in the FIPS 140-2 validation testing? > > [snip
> explanation...]

Try to read the articles sometimes.

~~~
sp332
FIPS 140-2 isn't the only testing done on OpenSSL. You'd think some unit tests
would be in place at least.

------
lstamour
Next in thread, David Johnson points out:

I have previously pointed this out as a bug in the FIPS spec. The need to
prevent matching pairs in random numbers by 4.8.2 in FIPS 140-2 reduces the
entropy.

The requirement in 4.8.2 applies to all SP800-90 DRBGs, not just the Dual EC
DRBG.

I submitted this as part of my comments to the re-opened SP800-90 comment
period.

------
oakwhiz
So they have a patch to fix it, but can't apply it because that would void the
FIPS certification status, and they won't apply it because they are disabling
the use of Dual_EC_DRBG anyway.

