Hosnieh Rafiee wrote:
I have gathered some vulnerabilities in the current DNS security approaches such as DNSSEC and etc. We think it is useful to have a survey of existing vulnerabilities or any new vulnerabilities so that we can address those issues in other standard RFC. This is why we plan to write a new informational draft.
While this is, in theory, a known vulnerability, it is still surprising that USG actively used it. Mocana Purges NSA-Compromised Key-Generation Scheme from Its Popular Nanocrypto Embedded Security Engine http://www.businesswire.com/news/home/20131016005500/en SAN FRANCISCO--(BUSINESS WIRE)--Mocana, the app security leader, issued a security advisory and announced an update to its NanoCrypto™ embedded security engine software (www.mocana.com/nanocrypto) that removes the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG) algorithm, an algorithm that was previously promoted as a cryptographically secure key generation method by the National Institute of Standards and Technology (NIST). Mocana’s action is the result of recent Edward Snowden document revelations that the Dual_EC_DRBG algorithm contains a vulnerability that likely enables US intelligence agencies to easily decrypt communications protected with the algorithm. The algorithm was designated as a standard (SP 800-90A) by NIST in 2006, at least in part because of endorsement and promotion by the NSA. Masataka Ohta _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
