
NIST "strongly" suggests dropping its own encryption standard - fejr
http://arstechnica.com/security/2013/09/government-standards-agency-strongly-suggests-dropping-its-own-encryption-standard/
======
rgbrenner
This is an article about Dual_EC_DRBG.. [edit: the final algo was] published
in June 2006, and criticized as insecure by the end of June 2006. Here's
Schneier summary:
[https://www.schneier.com/essay-198.html](https://www.schneier.com/essay-198.html)

First critic from June 2006:
[http://eprint.iacr.org/2006/190](http://eprint.iacr.org/2006/190)

Not only was it immediately criticized as being insecure, it's also slow.. I
doubt anyone used this algo.. certainly, after 7 years of public criticism,
anyone who used it would have replaced it by now.

~~~
jedbrown
> I doubt anyone used this algo...

Apparently RSA Security uses it as a default.

[http://developer-
content.emc.com/docs/rsashare/share_for_jav...](http://developer-
content.emc.com/docs/rsashare/share_for_java/1.1/dev_guide/group__LEARNJSSE__RANDOM__ALGORITHM.html)
[https://lwn.net/Articles/566329/](https://lwn.net/Articles/566329/)

~~~
rgbrenner
Interesting. Thanks for the link.. it's the first example of it actually being
used I've seen.

If anyone else has other examples, I would be interested in those too.

~~~
ig1
If you look at
[http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval....](http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html)
you can see who's using EC_DBRG.

Most notably apart from RSA is the "McAfee Firewall Enterprise Control Center"
(who actually use RSA's library)

~~~
anologwintermut
That tells you who has a certification for it. Note must people have
certifications for multiple RNGs, including openssl (indeed a few of those
modules are wrappers around openssl)

There is one company that only has a cert for EC_DRBG and thus can reasonably
be inferred to be using it is Lancope, a network security/firewall company.
For the rest of them, we don't know.

~~~
ig1
McAfee Firewall Enterprise Control Center only has dual EC_DRBG certified
(despite the fact the RSA library they use supports others; strongly
suggesting its what they actually use).

~~~
anologwintermut
McAfee Firewall Enterprise Control Center has certifications 340 333 163 162
and 340. Two of those are for HMAC_Based_DRBG.

------
thex86
A few days ago, there was a lot of talk about how Tor has backdoors, because
it is funded by the US Government.

The answer to that question is also here. You have the NIST, a government
entity that is opposing another government entity, the NSA, because the former
does not agree with the latter's practices. We should not forget that the
government is not one cohesive entity and this is an example of that.

~~~
taftster
Likewise, one should also remember, that no single entity is singular
cohesive; that there are people working from within, even from within the
"controversial" agencies, trying to make the places they work better for the
country.

~~~
educating
There is certainly much good intention, more than is given credit for, in most
government agencies. The reason I don't want to fund them to a great extent is
that the bureaucracy of almost any large entity causes serious problems in
inefficiency. I'd not want IBM running our government, and I don't want our
federal government running our government.

~~~
dmlorenzetti
People might be surprised at how much public-private cooperation goes on
between businesses and government research entities like NIST.

In fact, an explicit part of NIST's role is filling in science that businesses
need but can't do themselves.

NIST started out as the National Bureau of Standards. It sits in the
Department of Commerce. Most of its activities are directed at tasks-- like
standardizing measurements-- that businesses depend on, but are too small, or
too balkanized, to do effectively on their own.

Unless, you know, you like every corner gas station having its own definition
of "gallon", and every appliance manufacturer rating its offerings using
different definitions of energy, and every steel producer specifying tensile
strength according to its own test procedure.

Disclosure-- I had a post-doc at NIST in the late 1990s.

------
tptacek
Is the DEC PRG not the same as the Dual EC DRBG (also by Kelsey), or is the
2006 paper wrong about Dual EC being breakable on a desktop computer, or is
there some other subtlety I'm missing? Because the conclusion Ferguson came to
in '07 wasn't that Dual EC was bad because it was trivially breakable.

(Nobody I know of uses Dual-EC, and you shouldn't either).

~~~
pbsd
The 2006 paper calls the Dual EC DRBG as DEC PRG. They're the same thing.

Their attack does work in the advertised time, but it a purely distinguishing
attack, i.e., it tells you "this stream of random bits was generated by the
DEC PRG". It does this by verifying that the number of 256-bit integers
constructed using the 240 bits of the generator as least-significant bits are
more often valid points on the P-256 curve than truly random 240-bit strings
would. A 2007 paper extended this to predict bits.

EDIT: Actually, for the record, the first public attack on the generator was a
predictor, in March 2006 [1]. Citing its conclusion:

"While the practical impact of these results are modest, it is hard to see how
these flaws would be acceptable in a pseudo-random bit generator based on
symmetric cryptographic primitives. They should not be accepted in a generator
based on number-theoretic assumptions."

[1] [http://www.math.ntnu.no/~kristiag/drafts/dual-ec-drbg-
commen...](http://www.math.ntnu.no/~kristiag/drafts/dual-ec-drbg-comments.pdf)

~~~
tptacek
That made _perfect_ sense. A gem of a comment. Thank you!

------
jlgaddis
Note that the original article is from ProPublica and the original headline
was:

 _" Government Standards Agency “Strongly” Suggests Dropping its Own
Encryption Standard"_

[http://www.propublica.org/article/standards-agency-
strongly-...](http://www.propublica.org/article/standards-agency-strongly-
suggests-dropping-its-own-encryption-standard)

Ars Technica, however, changed it and added in "NSA-influenced algorithm"
because, you know, clicks.

~~~
arthulia
It is also somewhat more informative about _why_ they might possibly want
people to drop it.

------
alcari
Here's the NIST document from their own site, in case you'd like to skip the
article:
[http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supp...](http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf)

------
jlarocco
Am I blind, or does the article never once mention which encryption standard
it's talking about?

~~~
fejr
It does.

> The NIST standard describes what is known as an "elliptic curve-based
> deterministic random bit generator."

And also links in the first paragraph to:
[http://www.propublica.org/documents/item/785571-itlbul2013-0...](http://www.propublica.org/documents/item/785571-itlbul2013-09-supplemental#document/p2)

------
frank_boyd
> Asked whether Microsoft would continue to use the encryption standard in
> some of its software, a spokesperson said the company "is evaluating NIST's
> recent recommendations and as always, _will take the appropriate action to
> protect our customers_."

Pretty funny, coming from an NSA partner company.

~~~
frank_boyd
To the downvoters-instead-of-comment-leavers:

We know today that MS hands exploits over to the NSA.

Also, the likelihood that the NSA was allowed to integrate backdoors in MS
Windows is extremely high.

How do you square that with "take the appropriate action to protect our
customers"?

Additionally, backdoors/exploits can be used not only by their creators but
also by others who find them, making MS's "protect the customers" claim even
more ridiculous.

~~~
silentOpen
NSA is a customer, too.

------
lelf
Did you notice circus arriving recently?

    
    
      1. FBI Admits It Controlled Tor Servers Behind Mass Malware Attack (wired.com)
      2. NIST "strongly" suggests dropping its own encryption standard (arstechnica.com)
      3. No more CSS and HTML, just JS (ojjs.org)

~~~
z92
I can't figure out the relation between the third one and first two.

------
chmike
I don't understand the rationale to introduce such weakness. The NSA doesn't
have the monopole of spying and cracking code. This weakens defense of USA's
interest as well. This raises again the question if we can trust the people
holding such power in their had.

~~~
devx
The NSA thinks that if they have a backdoor into everything and a way to
access everything, then they can make US "secure", through _offensive_ means.

Yeah, that's what you get when you have an agency run by an army general.

------
meowface
>The NSA declined to comment.

That's a shocker.

~~~
mey
Never Say Anything

~~~
meowface
People referred to them as "No Such Agency" for a long time. It's kind of nice
to see how they went from extreme public obscurity to a household name; it's
hard to stay clandestine when even Joe Nobody knows who you are and exactly
what you do.

~~~
devx
Hopefully that will accelerate its abolition.

~~~
saraid216
You seriously want us to be SIGINT blind?

~~~
alcari
If our SIGINT collecting organizations can't do it without breaking the most
important laws of our country, yes.

~~~
DanBC
NSA has been murdering people?

~~~
taproot
Laws surrounding murder by and large aren't all that important. If it wasn't
illegal you'd just have mob justice filling the gap, as murder is generally
frowned upon quite severely by society.

Ideas surrounding freedom, liberty, and privacy are very complex, easily
confused, and often forgotten until its too late. The laws around these things
are mechanisms which help protect what you're country supposedly holds dare.

But in answer to your actual question, would you believe them if they said
they hadn't?

------
devx
I "strongly suggest" everyone drops NIST's encryption standards as soon as
there are viable alternatives to them. They can't be trusted ever again, and
it's best to form another truly international security standards body, anyway,
with ties to no government.

~~~
tedunangst
So much for AES. Time to go back to blowfish.

~~~
devx
ChaCha20:

[http://cr.yp.to/chacha.html](http://cr.yp.to/chacha.html)

------
bsullivan01
If Microsoft was seriously pissed _and_ not fearful, they'd sic Microsoft
Research on them.

Also Google, FB, Yahoo etc should provide grants so independent cryptologists
can spend time to review and test encryption standards. They don't have to
match NSA's budget...

~~~
DanBC
> independent cryptologists can spend time to review and test encryption
> standards.

It's a small world. They need money to do their work. MS, Google, FB, Yahoo!,
etc haven't been providing the funding or the jobs. GCHQ, NSA, etc have been
providing money and jobs. It's too late - there are no independent
cryptologists.

EG:
([http://www.cs.bris.ac.uk/Research/CryptographySecurity/](http://www.cs.bris.ac.uk/Research/CryptographySecurity/))
([http://bsc.bris.ac.uk/](http://bsc.bris.ac.uk/)) and
([http://www.blogger.com/comment.g?blogID=14836817&postID=1126...](http://www.blogger.com/comment.g?blogID=14836817&postID=112609269827820403))
{expand the original comment with this last link}
([http://www.maths.bris.ac.uk/research/heilbronn_institute/](http://www.maths.bris.ac.uk/research/heilbronn_institute/))

~~~
bsullivan01
Maybe, but Google, Microsoft, FB and other top tech companies are even more
connected to colleges than NSA. They know their top students and can easily
lure them with grants and even prizes. I remember talking to PHD students
having to live on $20K a year, imagine how a $50K grant and a possible $1
Million prize feels to him /her. If needed, tech companies as a whole can very
easily outspend NSA, if they want to. Unless they do something, other than
filing PR lawsuits, they have only themselves to blame.

(Of course the brightest mathematicians are used to fool people into clicking
on ads. But that's another story.)

~~~
DanBC
Yes, MS has very close tight links with Cambridge university.

> I remember talking to PHD students having to live on $20K a year

The spooks recruit before PHD if the person is good enough.

