Hacker News new | past | comments | ask | show | jobs | submit login
NIST "strongly" suggests dropping its own encryption standard (arstechnica.com)
291 points by fejr on Sept 13, 2013 | hide | past | web | favorite | 56 comments

This is an article about Dual_EC_DRBG.. [edit: the final algo was] published in June 2006, and criticized as insecure by the end of June 2006. Here's Schneier summary: https://www.schneier.com/essay-198.html

First critic from June 2006: http://eprint.iacr.org/2006/190

Not only was it immediately criticized as being insecure, it's also slow.. I doubt anyone used this algo.. certainly, after 7 years of public criticism, anyone who used it would have replaced it by now.

> I doubt anyone used this algo...

Apparently RSA Security uses it as a default.

http://developer-content.emc.com/docs/rsashare/share_for_jav... https://lwn.net/Articles/566329/

Interesting. Thanks for the link.. it's the first example of it actually being used I've seen.

If anyone else has other examples, I would be interested in those too.

If you look at http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.... you can see who's using EC_DBRG.

Most notably apart from RSA is the "McAfee Firewall Enterprise Control Center" (who actually use RSA's library)

So, when are we going to start seeing CVEs from these vendors, and updates to their software that disable this "feature"?

Cisco, Certicom, RSA, McAffee (via RSA), Juniper, Blackberry/RIM, OpenPeak, OpenSSL, Samsung, Symantec, Riverbed, Cummings Engineering, CoCo Communications, Kony, Lancope (via RSA), Mocana, Safenet, SafeLogic, Panzura, Microsoft, Thales e-Security, Catbird, ARX all list Dual_EC_DRBG as at least supported.

Of these, RSA (and presumably the others based on their, like McAffee and Lancope), Thales e-Security, and possibly Microsoft (Windows Server 2008 R2 lists only Dual_EC_DRBG, though its possible that that's just their only FIPS compliant one and they use some non-standard algorithm by default) seem to use Dual_EC_DRBG by default or as the only option. I haven't tried finding documentation on all of these to see if they say what their default algorithm is, so it may be more.

edit to add: Found this discussion on the OpenSSL users list, about why they added it. Apparently it was because a paying customer requested it, thought the customer is not named for confidentiality reasons. OpenSSL doesn't appear to enable the NIST/FIPS random number generators unless you compile it in FIPS mode (at least, as far as I can tell from a quick, their build system is a bit weird, and FIPS mode is even stranger):


That tells you who has a certification for it. Note must people have certifications for multiple RNGs, including openssl (indeed a few of those modules are wrappers around openssl)

There is one company that only has a cert for EC_DRBG and thus can reasonably be inferred to be using it is Lancope, a network security/firewall company. For the rest of them, we don't know.

McAfee Firewall Enterprise Control Center only has dual EC_DRBG certified (despite the fact the RSA library they use supports others; strongly suggesting its what they actually use).

McAfee Firewall Enterprise Control Center has certifications 340 333 163 162 and 340. Two of those are for HMAC_Based_DRBG.

"The default Pseudo Random Number Generator (PRNG) is the Dual EC-DRBG using a P256 curve with prediction resistance off."

... later ...

"Using a weak PRNG is inadvisable as it may allow attackers to predict the values of secret information such as session keys."

A few days ago, there was a lot of talk about how Tor has backdoors, because it is funded by the US Government.

The answer to that question is also here. You have the NIST, a government entity that is opposing another government entity, the NSA, because the former does not agree with the latter's practices. We should not forget that the government is not one cohesive entity and this is an example of that.

Likewise, one should also remember, that no single entity is singular cohesive; that there are people working from within, even from within the "controversial" agencies, trying to make the places they work better for the country.

There is certainly much good intention, more than is given credit for, in most government agencies. The reason I don't want to fund them to a great extent is that the bureaucracy of almost any large entity causes serious problems in inefficiency. I'd not want IBM running our government, and I don't want our federal government running our government.

People might be surprised at how much public-private cooperation goes on between businesses and government research entities like NIST.

In fact, an explicit part of NIST's role is filling in science that businesses need but can't do themselves.

NIST started out as the National Bureau of Standards. It sits in the Department of Commerce. Most of its activities are directed at tasks-- like standardizing measurements-- that businesses depend on, but are too small, or too balkanized, to do effectively on their own.

Unless, you know, you like every corner gas station having its own definition of "gallon", and every appliance manufacturer rating its offerings using different definitions of energy, and every steel producer specifying tensile strength according to its own test procedure.

Disclosure-- I had a post-doc at NIST in the late 1990s.

Is the DEC PRG not the same as the Dual EC DRBG (also by Kelsey), or is the 2006 paper wrong about Dual EC being breakable on a desktop computer, or is there some other subtlety I'm missing? Because the conclusion Ferguson came to in '07 wasn't that Dual EC was bad because it was trivially breakable.

(Nobody I know of uses Dual-EC, and you shouldn't either).

The 2006 paper calls the Dual EC DRBG as DEC PRG. They're the same thing.

Their attack does work in the advertised time, but it a purely distinguishing attack, i.e., it tells you "this stream of random bits was generated by the DEC PRG". It does this by verifying that the number of 256-bit integers constructed using the 240 bits of the generator as least-significant bits are more often valid points on the P-256 curve than truly random 240-bit strings would. A 2007 paper extended this to predict bits.

EDIT: Actually, for the record, the first public attack on the generator was a predictor, in March 2006 [1]. Citing its conclusion:

"While the practical impact of these results are modest, it is hard to see how these flaws would be acceptable in a pseudo-random bit generator based on symmetric cryptographic primitives. They should not be accepted in a generator based on number-theoretic assumptions."

[1] http://www.math.ntnu.no/~kristiag/drafts/dual-ec-drbg-commen...

That made perfect sense. A gem of a comment. Thank you!

Note that the original article is from ProPublica and the original headline was:

"Government Standards Agency “Strongly” Suggests Dropping its Own Encryption Standard"


Ars Technica, however, changed it and added in "NSA-influenced algorithm" because, you know, clicks.

It is also somewhat more informative about why they might possibly want people to drop it.

Here's the NIST document from their own site, in case you'd like to skip the article: http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supp...

Am I blind, or does the article never once mention which encryption standard it's talking about?

It does.

> The NIST standard describes what is known as an "elliptic curve-based deterministic random bit generator."

And also links in the first paragraph to: http://www.propublica.org/documents/item/785571-itlbul2013-0...

> Asked whether Microsoft would continue to use the encryption standard in some of its software, a spokesperson said the company "is evaluating NIST's recent recommendations and as always, will take the appropriate action to protect our customers."

Pretty funny, coming from an NSA partner company.

To the downvoters-instead-of-comment-leavers:

We know today that MS hands exploits over to the NSA.

Also, the likelihood that the NSA was allowed to integrate backdoors in MS Windows is extremely high.

How do you square that with "take the appropriate action to protect our customers"?

Additionally, backdoors/exploits can be used not only by their creators but also by others who find them, making MS's "protect the customers" claim even more ridiculous.

NSA is a customer, too.

Did you notice circus arriving recently?

  1. FBI Admits It Controlled Tor Servers Behind Mass Malware Attack (wired.com)
  2. NIST "strongly" suggests dropping its own encryption standard (arstechnica.com)
  3. No more CSS and HTML, just JS (ojjs.org)

I can't figure out the relation between the third one and first two.

I don't understand the rationale to introduce such weakness. The NSA doesn't have the monopole of spying and cracking code. This weakens defense of USA's interest as well. This raises again the question if we can trust the people holding such power in their had.

The NSA thinks that if they have a backdoor into everything and a way to access everything, then they can make US "secure", through offensive means.

Yeah, that's what you get when you have an agency run by an army general.

>The NSA declined to comment.

That's a shocker.

Never Say Anything

People referred to them as "No Such Agency" for a long time. It's kind of nice to see how they went from extreme public obscurity to a household name; it's hard to stay clandestine when even Joe Nobody knows who you are and exactly what you do.

> and exactly what you do.

No. We know some things they do. We don't know what else and how much they do.

Sorry, I was somewhat ambiguous. I meant:

Now most of the general public knows the nature of their work and some of the details surrounding it.

Hopefully that will accelerate its abolition.

You seriously want us to be SIGINT blind?

If our SIGINT collecting organizations can't do it without breaking the most important laws of our country, yes.

NSA has been murdering people?

Laws surrounding murder by and large aren't all that important. If it wasn't illegal you'd just have mob justice filling the gap, as murder is generally frowned upon quite severely by society.

Ideas surrounding freedom, liberty, and privacy are very complex, easily confused, and often forgotten until its too late. The laws around these things are mechanisms which help protect what you're country supposedly holds dare.

But in answer to your actual question, would you believe them if they said they hadn't?

Don't get excited, I'm sure that its successor has already been minted.

It's unlikely that that would happen, unless we suddenly get a new president in the coming years who is unlike the rest and vehemently anti-domestic surveillance.

They might undergo some reform, but the government apparatus has been far too reliant on many aspects of their work to actually shut them down.

That's because when they do, it often sounds just like a lie.

Read it on Wikileaks next month.

I "strongly suggest" everyone drops NIST's encryption standards as soon as there are viable alternatives to them. They can't be trusted ever again, and it's best to form another truly international security standards body, anyway, with ties to no government.

And how do you know the "independent" organization that comes up with the next encryption standard wasn't covertly influenced or controlled by a hostile entity[1]?

Public scrutiny and peer review are the best defenses, and the NIST did as much.

[1] IMHO, I'm far more concerned about China and Russia then the US.

This. Seriously, their algorithms and mathematics are public and under constant scrutiny from the entire crytographic community. The vulnerabilities in RSA are known, sha already has a third version ready if a systemic weakness in 128->512 bit sha1/2 is revealed, and AES may require 512 bit keys for guaranteed security in the future, but seems solid.

They can't backdoor a math function because all 3 have been implemented by dozens of libraries and programs independently.

AES is only defined for 128, 192, or 256 bit keys. You'd need to switch to a different block cipher like Blowfish (up to 448 bit keys), RC2 (up to 1024 bit keys), or RC5 (up to 2048 bit keys) to have a larger keyspace.

If Bruce Schneier thinks that strong symmetric crypto works (the math behind it is sound) I think I will also trust it.

The attacks are usually on the implementations or subverting the rng. Or plain old thermorectal cryptoanalysis - it obtains both symmetrical and asymmetrical keys in fixed time.

So much for AES. Time to go back to blowfish.

Blowfish is very old. Try Twofish or Camellia.

If Microsoft was seriously pissed and not fearful, they'd sic Microsoft Research on them.

Also Google, FB, Yahoo etc should provide grants so independent cryptologists can spend time to review and test encryption standards. They don't have to match NSA's budget...

> independent cryptologists can spend time to review and test encryption standards.

It's a small world. They need money to do their work. MS, Google, FB, Yahoo!, etc haven't been providing the funding or the jobs. GCHQ, NSA, etc have been providing money and jobs. It's too late - there are no independent cryptologists.

EG: (http://www.cs.bris.ac.uk/Research/CryptographySecurity/) (http://bsc.bris.ac.uk/) and (http://www.blogger.com/comment.g?blogID=14836817&postID=1126...) {expand the original comment with this last link} (http://www.maths.bris.ac.uk/research/heilbronn_institute/)

Maybe, but Google, Microsoft, FB and other top tech companies are even more connected to colleges than NSA. They know their top students and can easily lure them with grants and even prizes. I remember talking to PHD students having to live on $20K a year, imagine how a $50K grant and a possible $1 Million prize feels to him /her. If needed, tech companies as a whole can very easily outspend NSA, if they want to. Unless they do something, other than filing PR lawsuits, they have only themselves to blame.

(Of course the brightest mathematicians are used to fool people into clicking on ads. But that's another story.)

Yes, MS has very close tight links with Cambridge university.

> I remember talking to PHD students having to live on $20K a year

The spooks recruit before PHD if the person is good enough.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact