First, I don't think it has anything to do with Dual EC DRGB.  Who uses it?  

My impression is that most of the encryption that fits what's in the article is 
TLS/SSL.  That is what secures most encrypted content going online.  The easy 
way to compromise that in a passive attack is to compromise servers' private 
keys, via cryptanalysis or compromise or bad key generation.  For server side 
TLS using RSA, guessing just the client's random values ought to be enough to 
read the traffic.  

For active attacks, getting alternative certs issued for a given host and 
playing man in the middle would work.  

Where do the world's crypto random numbers come from?  My guess is some version 
of the 
Windows crypto api and /dev/random or /dev/urandom account for most of them.  
What does most of the world's TLS?  OpenSSL and a few other libraries, is my 
guess.  But someone must have good data about this.  

My broader question is, how the hell did a sysadmin in Hawaii get hold of 
something that had to be super secret?  He must have been stealing files from 
some very high ranking people.  


The cryptography mailing list

Reply via email to