
Is Extended Random a Malicious NSA Plot? - pmh
http://sockpuppet.org/blog/2015/08/04/is-extended-random-malicious/
======
seiji
For your web inspector console:

    
    
      $("body").html($("body").html().replace(/Clyde Frog/g, "the NSA"))
    

Update: more proper

    
    
      $("body").html($("body").html().replace(/Clyde[\s\r\n]Frog/g, "the NSA").replace(/\. t/g, ". T"))

~~~
tptacek
That's not perfectly accurate; the reason I think an abstract name is helpful
is that GCHQ is just as bad, if not worse: it's handy to have a name that
captures all of them.

~~~
seiji
In my defense, when I first skimmed the article I missed the note about the
secondary meaning and was quite confused. "New hacker group? Old hacker group
I don't know about? Kids these days..."

~~~
jlgaddis
I did too. I assumed it was referring to an individual working for USG
(although "Frog" is a pretty uncommon surname, I'd think).

------
mindslight
Tangential forward-looking paranoia:

I've got to wonder if the DUAL_EC debacle only appears so ham-fisted because
the public understanding of public key crypto is much further ahead than our
understanding of symmetric ciphers. Universities employ armies of
mathematicians studying mathematical structures for their own right, whereas
shuffling bits isn't sexy.

Conversely, "Clyde Frog" has been studying symmetric ciphers much longer and
harder (symmetric is sufficient for nation-state security) and could have a
deep symbolic understanding of common symmetric constructions akin to how we
see the public-key math. They would then know how to choose constants that
admit similar backdoors, and the entropy of "nothing up my sleeve numbers"
isn't exactly well quantified.

Rather than a proactive attempt, DUAL_EC could have been a _reaction_ to
worries about movement to RNGs based on asymmetric math.

~~~
why-el
> symmetric is sufficient for nation-state security

Is that a verifiable assertion? Would love to read more about it.

~~~
mindslight
Governments can afford to employ people to transport N^2 keying material.
Additionally, they have predefined communications patterns.

Even if part of the government moves to asymmetric algorithms for key
distribution (only possible after the discovery of Diffie-Hellman), the top
secret portions can continue using couriers to avoid relying on an additional
algorithm.

Combined with its standard use for bulk ciphering, symmetric is obviously the
more valuable target to secure/break.

~~~
fossuser
Public Key crypto was discovered by GCHQ (and then given to the NSA) several
years before it was publicly discovered by Diffie-Hellman and RSA. I think
this was to avoid having to have the symmetric keys under armed guard. The
public discovery is also what kicked off the 'crypto wars'. I'd be surprised
if modern nation state intelligence communities found symmetric encryption
sufficient.

A lot of interesting information about the history I learned from Steven
Levy's crypto: [http://www.amazon.com/Crypto-Rebels-Government-Privacy-
Digit...](http://www.amazon.com/Crypto-Rebels-Government-Privacy-
Digital/dp/0140244328)

~~~
mindslight
Oh yeah, I'd forgotten about Cocks. Blame my selective memory for withholding
credit from people who don't share.

Spooks would of course welcome any discovery, and asymmetric crypto does solve
problems for them (getting government crypto distributed as wide as possible).
I am saying purely symmetric is "sufficient" for their core functionality -
the communications that really _need_ to be secret. Coupled with the head
start before asymmetric was even discovered, that is where their focus is
going to be.

Put another way: if you were in charge of securing communications and had to
prioritize resources, would you rather research a trustworthy asymmetric
algorithm or a trusty symmetric algorithm? Likewise if you wanted to snoop on
others' communications, would you prioritize breaking symmetric or asymmetric
techniques?

------
gghh
Just out of curiosity, are those jabber chat rooms public? tptacek mentions
some jabber logs of the TLS working group.

~~~
jakeogh
[http://datatracker.ietf.org/wg/tls/charter/](http://datatracker.ietf.org/wg/tls/charter/)

------
logicallee
May I just say, I am extremely happy that the NSA has to jump through such
incredibly laborious hoops to gain a glimpse into anything, a capability which
they would then fail to acknowledge at any price.

This is the OPPOSITE of a dictatorship, where there would simply be a heavy-
handed order to put in an explicit, acknowledged back door or be jailed
without trial, or executed.

This is what freedom looks like. Enjoy it!

I personally also enjoy the fact that nobody with a few million dollars in
spare change can surf the dark web as Dr. evil. But that's just me.

 _EDIT: this comment is at -1, perhaps people thought I was making a ham-
fisted sarcastic statement. I 'm speaking literally. You all can keep either
your dictatorship, or the society in which someone can commit an act of
terrorism for the going black market rate without any repercussions; if it's a
false dichotomy, you'll have to explain why._

 _EDIT 2: this comment is fluctuating wildly (-2, +2, 0, etc) especially since
my edit. Thoughtful replies would probably be more helpful than voting here._

------
euroclydon
_Except for Hoffman’s last proposal, the extensions are cordoned off to the US
Government. The sponsors of the standards and their authors make very little
effort to provide a use case for normal Internet users._

If this were an X-Files episode, then the group who really runs the world
would be forcing the USG to subvert it's own crypto.

------
Raj123123
Why would Certicom bother filing a patent(s) on this. The only likely
buyer/licensee would be a nation state - which can easily appropriate whatever
IP it desires. Further, NSA paying/licensing with a foreign company (Canadian
Certicom) only adds to the number of people in the know. Likely Certicom
realized this and contributes to the reason why some of the patent
applications were never pursued beyond provisional patent applications.

------
typeformer
Certainly seems like a very well crafted but poorly executed plot to me. The
tricky thing is how the hell do you really expose it? There are so many levels
of obfuscation both by the people who are putting forth the proposal and the
technical details as well.

------
ghshephard
Can anyone figure out whether USG is Unix Systems Group or United States
Government. (I think we're safe in assuming they aren't United States Gypsum
(though, from my trips through Empire to Gerlach, that was the first thing
that came to mind)). [Edit - if you read through the entire (epic and
wonderful resource) article, United States Government is used where USG might
be - so I think we are safe in assuming it is United States Government.
tptacek, might be worth introducing the acronym at the beginning.]

~~~
wfunction
I thought it was the US Government.

------
Raj123123
PKRNG - if the attacker obtains the private key, why do they need the
28+bytes?

~~~
tedunangst
The attacker doesn't have the TLS private key, they have the RNG key. But they
don't have the RNG seed. Recovering the seed is necessary to predict other RNG
outputs and break TLS, but requires observing more RNG output than one
typically sees.

~~~
rst
FWIW, the operative theory here is that "Extended Random" was designed to work
in concert with the DUAL_EC DBRG/RNG, which almost certainly allows "Clyde
Frog" to predict all future output on the basis of _very_ few samples.

~~~
Raj123123
seems they aren't limited to just future output:

"Using that private key, they can observe CSPRNG output on the wire, “decrypt
it”, and use that to rewind and fast-forward other people’s CSPRNGs,
discovering their keys."

------
kens
I hate to ask a dumb question, but the article discusses the actions of Clyde
Frog a lot. Is Clyde Frog a person, a company, a government project, or what?
A web search found a TV show and a stuffed animal, so I'm honestly puzzled.

Edit: thanks cmg. I was reading the article on my phone and the side notes
were off screen so I totally missed the explanation.

~~~
cmg
In small (11px), light-ish (#777777) next to the first paragraph:

> If I call NSA “Clyde Frog” long enough, eventually other people will too.
> Someone has to start the meme! I think Dual_EC is a backdoor.

~~~
mwcampbell
First time I've ever seen sidenotes done like that.

BTW, screen reader users (i.e. blind people) can't possibly miss the
sidenotes; in fact, each sidenote will interrupt the text at the point where
the note is most relevant. So a screen reader will render the first sentence
like this:

Did Clyde Frog If I call NSA “Clyde Frog” long enough, eventually other people
will too. Someone has to start the meme! subvert crypto standards with a
backdoored random number generator called Dual_EC?

A little jarring when first encountered. (In my case, because I have some
usable vision, I could tell what was going on.) I'd suggest sticking with more
conventional footnotes, but I can see why this form of sidenote was appealing.

~~~
dredmorbius
Proper support for footnotes / sidenotes in HTML itself would be dandy.
There's not, so people write hacks.I've done a few myself.

Presently footnoting is either manual or requires a preprocessor -- LaTeX,
Markdown, CMS, etc.

------
HashThis
That is because Jerry Solinas works for the NSA. Jerry Solinas @ NSA @
jasolin@orion.ncsc.mil.

Notice that the company "Clyde Frog" doesn't have a company website. Notice
that Jerry Solinas don't have a Linked-In profile.

~~~
tptacek
woosh

------
ackalker
It may be my (somewhat archaic) sense of crypto humor, but any time I read the
term "Dual EC", my mind says "CE lauD", making it sound like someone saying
the word "cloud" with an accent expressing a lot of disdain[1].

Anyway, the Dual EC backdoor, if real, along with the extra randomness, may
yet prove to be part of "the gubment's" very own cloudbusting operation, to
make cloud services rain users' secrets at the push of a button...

[1]: _cf._ "my butt"

------
jgon
Doesn't this essay absolutely bury one of the most important parts of this
scandal, that RSA used DUAL_EC as the default random number generator in their
FIPS certified encryption product for almost a decade!?! I note that this is
glossed over with a description so marginal I would tempted to call it
dishonest if I were not trying to apply the principle of charity to its
author. "RSA BSAFE had support for DUAL_EC." Support!? Uh no, it used it as
the default generator.

"I lean towards “not”; the structure of these proposals makes Clyde Frog’s job
needlessly harder, if only by practically ensuring that OpenSSL and Schannel
would never default to enabling them. But people smarter than me are convicted
of the idea that this was a backdoor attempt." Well yeah it would make their
job harder unless one of the largest security companies in the world used that
random generator in their flagship encryption product!!!

I feel like maybe their are better arguments for why this was not a subversion
attempt, but honestly the points for seem so, _so_ strong and the points
against seem like a mountain of wishy-washy humming and hawwing and extending
the principle of charity even in the face of the above mentioned giant blaring
klaxon of wrong-doing. I will still not say that reasonable people can't
disagree over the question at hand but the arguments presented in this article
don't strike me as being anywhere near strong enough to make this the sort of
grey area the author would like.

~~~
kordless
> I will still not say that reasonable people can't disagree over the question
> at hand but the arguments presented in this article don't strike me as being
> anywhere near strong enough to make this the sort of grey area the author
> would like.

You have three negations in this sentence, which means it's nearly impossible
to parse or understand. It's been my observation statements like these follow
rationalizations about a point in which there exists dissonance. Given you
seem to be disagreeing with something Thomas said or the way he said it, but
not actually disagreeing with a point he made, I'd say that is the case here
as well.

Violations of our privacy via rationalizations of security makes me sad and
bored. I think we can all agree that things could be better with the
situation, and I for one appreciate Thomas' efforts in bringing the truth to
light.

~~~
mod
> I will still not say that reasonable people can't disagree over the question
> at hand but the arguments presented in this article don't strike me as being
> anywhere near strong enough to make this the sort of grey area the author
> would like.

I didn't think it was that hard to read. It made sense on my first read, but
here's my translation:

"I can see how arguments exist on both sides, but I don't think the author
supported his argument with enough evidence to make it very relevant."

