24. sep. 2013 kl. 18:01 skrev Jerry Leichter <leich...@lrw.com>: > At the time this default was chosen (2005 or thereabouts), it was *not* a > "mistake". Dual EC DRBG was in a just-published NIST standard. ECC was > "hot" as the best of the new stuff - with endorsements not just from NSA but > from academic researchers.
Choosing Dual-EC-DRBG has been a mistake for its entire lifetime, because it is so slow. While some reasonable people seem to have a preference for cryptography based on number theory, I've never met anyone who would actually use Dual-EC-DRBG. (Blum-Blum-Shub-fanatics show up all the time, but they are all nutcases.) I claim that RSA was either malicious, easily fooled or incompetent to use the generator. I will not buy anything from RSA in the future. Were I using RSA products or services, I would find replacements. (For what it's worth, I discounted the press reports about a trapdoor in Dual-EC-DRBG because I didn't think anyone would be daft enough to use it. I was wrong.) -- Kristian Gjøsteen _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography