5. sep. 2013 kl. 23:14 skrev Tim Dierks <t...@dierks.org>: > I believe it is Dual_EC_DRBG. The ProPublica story says: > Classified N.S.A. memos appear to confirm that the fatal weakness, discovered > by two Microsoft cryptographers in 2007, was engineered by the agency. The > N.S.A. wrote the standard and aggressively pushed it on the international > group, privately calling the effort “a challenge in finesse.” > This appears to describe the NIST SP 800-90 situation pretty precisely. I > found Schneier's contemporaneous article to be good at refreshing my memory: > http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
As a co-author of an analysis of Dual-EC-DRBG that did not emphasize this problem (we only stated that Q had to be chosen at random, Ferguson &co were right to emphasize this point), I would like to ask: Has anyone, anywhere ever seen someone use Dual-EC-DRBG? I mean, who on earth would be daft enough to use the slowest possible DRBG? If this is the best NSA can do, they are over-hyped. (If you really do want to use Dual-EC-DRBG: truncate more than 16 bits, and don't use NSA's points, choose your own - at random.) -- Kristian Gjøsteen _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography