[Cryptography] Fw: how could ECC params be subverted other evidence

2013-09-10 Thread Perry E. Metzger 
Forwarding because Adam apparently has distinct envelope and From:
addresses and didn't notice the bounce.

Note that anyone replying and attributing this message to *me* will
be laughed at mercilessly as their message is rejected.

Perry

Begin forwarded message:

Date: Tue, 10 Sep 2013 13:42:57 +0200
From: Adam Back a...@cypherspace.org
To: Perry E. Metzger pe...@piermont.com
Cc: Alexander Klimov alser...@inbox.ru, Cryptography List
cryptography@metzdowd.com, Adam Back a...@cypherspace.org
Subject: Re: [Cryptography] how could ECC params be subverted  other
evidence


Perry wrote:
The Times reported that a standard [...] had been subverted, and
there had been much internal congratulation in a memorandum.  

[...]This was only an example, the context in the Guardian and the
Times made it clear others are probably lurking.

The important potential backdoor is NIST 186-3 curves in Peter
Fairbrother's reply, and I think that would be a good place to focus
analysis.  

(DRBG is largely irrelevant due suspected compromised state since
2007, and very limited use.  It is also a different type of issue -
not backdoored curves, arguably backdoored parameters).

I would like to hear also from other readers, who may have a deeper
understanding of EC math and parameter selection.

I do think people should be careful to distinguish between three
things:

1 political confirmed backdoor claims from whistleblower documents
as interpreted by journalists (technical articles by eg Schneier
exempted);

2 possible backdoor (showing that a parameter or key generation lacks
   sufficient fairness in its generation)

3 actual verifiable sabotage (the actual backdoor keys, previously
   unpublished implausible design failure, software backdoor etc.)

We need accuracy because once the dust has settled people will be
making crypto protocol design  implementation decisions based on
what is concluded.  Speculate away, but be clear.

Adam
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Re: [Cryptography] Fw: how could ECC params be subverted other evidence

2013-09-10 Thread Perry E. Metzger 
On Tue, 10 Sep 2013 16:45:23 -0400 John Kelsey crypto@gmail.com
wrote:
 [DBRG] seemed like a really weird place to put a backdoor, because
 it was insanely slow, and it seemed unlikely to get any significant
 use.

As an aside, this is just the instance we know about, partially
because they screwed up, partially because the New York Times saw fit
to let us have confirmation of what was suspected in public.

I presume they've been more careful in other places, and that this is
not their only work. I presume that they knew this would not be
used much and it was only a target of opportunity -- and that they've
gotten much more interesting fixes in elsewhere, perhaps even in
other parts of the NIST RNG standards (though it would *seem* much
harder to gimmick those).

 And I, at least, had internalized the idea that we weren't
 going to get intentional bad advice or sabotage from another part
 of the federal government.

You're not the only person feeling betrayed. For many years, the NSA
people appeared on our doorsteps offering help in many, many
contexts -- IETF for example.

The awful part is, many of them may have been completely sincere.
The IA side of the house *does*, in fact, depend on COTS hardware to
secure most of the Federal Government. They *do* have an interest in
keeping US commercial targets safe from attack.

However, even if many of the NSA people who participated in standards
work were sincere, their good will has been ruined by other NSA
people who used the sincere ones as cover for their
machinations. We now have to be suspicious of all of them, probably
permanently, and that's bad for everyone.

I imagine that there are some people inside the NSA now yelling at
others about how they've made it ever so much harder to fix the
security of most of the Federal Government, which ineed depends on
COTS hardware. Now even if they come to us with really good advice,
we have no idea if we should take it because we can't know they're
not lying to us.

None the less, it is done, and those of us on the outside can't
depend on NSA participants in standards work any longer. A set
of short sighted, foolish decisions have created tragedy for all.


Perry
-- 
Perry E. Metzgerpe...@piermont.com
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography