

Hopefully the last post I'll ever write on Dual EC DRBG - wglb
http://blog.cryptographyengineering.com/2015/01/hopefully-last-post-ill-ever-write-on.html

======
bradleyjg
The underlying letter
[http://www.ams.org//notices/201502/rnoti-p165.pdf](http://www.ams.org//notices/201502/rnoti-p165.pdf)
carefully avoids saying whether or not the NSA put a backdoor into Dual EC
DRBG. The language is several places seems to suggest it did not, but there is
no outright denial (or acknowledgement).

~~~
csandreasen
In a keynote speech, Richard "Dickie" George, former technical director for
the NSA Information Assurance Director, flat out denied it claiming that they
were non-deterministically generated random numbers[1]. He also talked a
little bit about how Dual EC became a public standard to begin with[2]. If you
have the time, I think the whole video is worth a watch - he goes into the
history of DES, espionage between the US and Soviets, getting cryptographic
equipment working in tanks, etc...

[1] [http://vimeo.com/97891042](http://vimeo.com/97891042) (jump to 57:53)

[2] Same video, jump to 30:14

~~~
bradleyjg
Just watched the whole video. Thanks for linked it.

------
Someone1234
Everyone keeps saying that the leaks confirmed the backdoor (e.g. wikipedia
claims that) but which leak exactly? I didn't see a leak which confirmed the
Dual EC DRBG backdoor. If someone did can you link it here?

PS - There may very well be a backdoor. In fact I believe that there is. But
people keep claiming the Snowden leaks confirmed it, when I see no such
confirmation.

~~~
nullc
I'm pretty sure most people have taken the certicom patent on using this
technique for "escrow" as pretty strong evidence that it was an intentional
backdoor.

Esp. coupled with its insanely slow performance and NSA's failure to point out
that the selection of the 'random' numbers could be used to backdoor the
cryptosystem. (especially when they continued to fail to point that out and
support the cryptosystem while embargoing the patent for national security
reasons).

But indeed, I'm not aware of any stronger proof. ... but people go to jail on
evidence less circumstantial than this all the time. How high a bar must be
set before we can just say "backdoored" without a page of footnotes?

~~~
scintill76
I basically agree with your conclusion, but it sounds like they did not
embargo the patent: [https://projectbullrun.org/dual-
ec/patent.html](https://projectbullrun.org/dual-ec/patent.html) ("recommended
against a secrecy order"). Or am I confused about the meaning? Anyway, it at
least shows the NSA was institutionally aware of the possibility of
backdooring, and other cryptographers knew about it, yet NSA pushed for its
adoption.

------
0x0
Please don't hijack pinch-to-zoom gestures with javascript that loads random
articles on your blog. (iOS mobilesafari). Thanks.

------
iwwr
So right now, what are recommended public key, cyphers and hash functions for
reasonable crypto safety? What about safe crypto pRNG's?

The ubuntu's gpg lists the following:

    
    
        Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
        Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256
        Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

~~~
xenophonf
For starters, please refer to
[https://wiki.mozilla.org/Security/Server_Side_TLS](https://wiki.mozilla.org/Security/Server_Side_TLS).
For SSH, I lack clear, good advice. I've tended to disable weaker ciphersuites
using Mozilla's TLS configuration advice as a guide, and I've also tended to
use larger key sizes than the defaults. As questionable as NIST's guidelines
have been lately, I tend to follow the high end of their recommended key
sizes, so 4096-byte public keys, etc.

~~~
phunge
This was some recent advice for SSH:
[https://stribika.github.io/2015/01/04/secure-secure-
shell.ht...](https://stribika.github.io/2015/01/04/secure-secure-shell.html)

It was on discussed on HN, at the time noone pointed out anything glaring
about the advice given.

~~~
PhantomGremlin
That's a nice link, thanks. I like the writing style. Clear advice, with
explanations, not too wordy.

Do you have a pointer to the HN discussion?

~~~
jzwinck
It was discussed here:
[https://news.ycombinator.com/item?id=8843994](https://news.ycombinator.com/item?id=8843994)

~~~
xenophonf
Thanks for the links!

------
throwaway7746
I'd be interested in hearing tptaceks response here, as he has claimed in his
past comments that "no serious cryptographer" believes dual-EC-DRBG was
backdoored. Is Matthew Green not a "serious cryptographer"?

