5. sep. 2013 kl. 23:14 skrev Tim Dierks <t...@dierks.org>:

> I believe it is Dual_EC_DRBG. The ProPublica story says:
> Classified N.S.A. memos appear to confirm that the fatal weakness, discovered 
> by two Microsoft cryptographers in 2007, was engineered by the agency. The 
> N.S.A. wrote the standard and aggressively pushed it on the international 
> group, privately calling the effort “a challenge in finesse.” 
> This appears to describe the NIST SP 800-90 situation pretty precisely. I 
> found Schneier's contemporaneous article to be good at refreshing my memory: 
> http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

As a co-author of an analysis of Dual-EC-DRBG that did not emphasize this 
problem (we only stated that Q had to be chosen at random, Ferguson &co were 
right to emphasize this point), I would like to ask:

        Has anyone, anywhere ever seen someone use Dual-EC-DRBG?

I mean, who on earth would be daft enough to use the slowest possible DRBG? If 
this is the best NSA can do, they are over-hyped.

(If you really do want to use Dual-EC-DRBG: truncate more than 16 bits, and 
don't use NSA's points, choose your own - at random.)

Kristian Gjøsteen

The cryptography mailing list

Reply via email to