5. sep. 2013 kl. 23:14 skrev Tim Dierks <[email protected]>:
> I believe it is Dual_EC_DRBG. The ProPublica story says:
> Classified N.S.A. memos appear to confirm that the fatal weakness, discovered
> by two Microsoft cryptographers in 2007, was engineered by the agency. The
> N.S.A. wrote the standard and aggressively pushed it on the international
> group, privately calling the effort “a challenge in finesse.”
> This appears to describe the NIST SP 800-90 situation pretty precisely. I
> found Schneier's contemporaneous article to be good at refreshing my memory:
> http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115
As a co-author of an analysis of Dual-EC-DRBG that did not emphasize this
problem (we only stated that Q had to be chosen at random, Ferguson &co were
right to emphasize this point), I would like to ask:
Has anyone, anywhere ever seen someone use Dual-EC-DRBG?
I mean, who on earth would be daft enough to use the slowest possible DRBG? If
this is the best NSA can do, they are over-hyped.
(If you really do want to use Dual-EC-DRBG: truncate more than 16 bits, and
don't use NSA's points, choose your own - at random.)
--
Kristian Gjøsteen
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
