[cryptography] Dual EC backdoor was patented by Certicom?
In what is now a long running saga, we have more news on the DUAL_EC backdoor injected into the standards processes. In a rather unusual twist, it appears that Certicom's Dan Brown and Scott Vanstone attempted to patent the backdoor in Dual EC in or around January of 2005. From Tanja Lange DJB: https://projectbullrun.org/dual-ec/patent.html ... It has therefore been identified by the applicant that this method potentially possesses a trapdoor, whereby standardizers or implementers of the algorithm may possess a piece of information with which they can use a single output and an instantiation of the RNG to determine all future states and output of the RNG, thereby completely compromising its security. The provisional patent application also describes ideas of how to make random numbers available to trusted law enforcement agents or other escrow administrators. = This appears to be before ANSI/NIST finished standardising DUAL_EC as a RNG, that is, during the process. What is also curious is that Dan Brown is highly active in the IETF working groups for crypto, adding weight to the claim that the IETF security area is corrupted. Obviously one question arises -- is this a conspiracy between Certicom, NSA and NIST to push out a backdoor? Or is this just the normal incompetent-in-hindsight operations of the military-industrial-standards complex? It's an important if conspiratorial question because we want to document the modus operandi of a spook intervention into a standards process. We'll have to wait for more facts; the participants will simply deny. One curious fact, the NSA recommended *against* a secrecy order for the patent. What I'm more curious about today is Certicom's actions. What is the benefit to society and their customers in patenting a backdoor? How can they benefit in a way that aligns the interests of the Internet with the interests of their customers? Or is this impossible to reconcile? If Certicom is patenting backdoors, the only plausible way I can think of this is that it intends to wield backdoors. Which means spying and hacking. Certicom is now engaged in the business of spying on ... customers? Foreign governments? In contrast, I would have said that Certicom's responsibility as a participant in Internet security is to declare and damn an exploit, not bury it in a submarine patent. If so, what idiot in Certicom's board put it on the path of becoming the Crypto AG of the 21st century? If so, Certicom is now on the international blacklist of shame. Until questions are answered, do no business with them. Certicom have breached the sacred trust of trade -- to operate in the interests of their customers. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] basing conclusions on facts (was: Re: Dual EC backdoor was patented by Certicom?)
I've no public opinion on Certicom's patent practices. And the behaviour of the signals intelligence agencies has been IMO deplorable. So I sympathise with some of what you are saying. However, building your case on bogus claims that are not facts as you are pearly doing is a really bad idea. In particular... On 15/06/14 14:13, ianG wrote: What is also curious is that Dan Brown is highly active in the IETF working groups for crypto, That is not correct as far as I can see. In my local archives, I see one email from him to the TLS list in 2011 and none in 2012. For the security area list (saag), I see a smattering of mails in 2011 and 2012 and none in 2013. For the IRTF's CFRG, I see a few in 2010, none in 2011 and some in 2012 and 2013. I do see increased participation over the last year on the the DUAL-EC topic. None of the above is anywhere near highly active which is therefore simply false. And I don't believe you yourself are sufficiently active to judge whether or not someone else is highly active in the IETF to be honest. Nor do you seem to have gone through the mail list archives to check. You are both of course welcome to become highly active if you do want to participate, same as anyone else. adding weight to the claim that the IETF security area is corrupted. And that supposed conclusion, based only on an incorrect claim, is utter nonsense. I would have expected better logic and closer adherence to the facts. Yes, the IETF security area needs to do better, and quite a few folks are working on that. Yes, its almost certain the someone was paid by BULLRUN to muck up IETF work. Nonetheless unfounded misstatements such as the above don't help and are wrong. And the correct reaction is to do better work and not to fall for the same guily-by-association fallacy that the leads the spooks to think that pervasive monitoring is a good plan. S. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] basing conclusions on facts (was: Re: Dual EC backdoor was patented by Certicom?)
On 6/15/14, Stephen Farrell stephen.farr...@cs.tcd.ie wrote: On 15/06/14 14:13, ianG wrote: What is also curious is that Dan Brown is highly active in the IETF working groups for crypto, That is not correct as far as I can see. In my local archives, I see one email from him to the TLS list in 2011 and none in 2012. For the security area list (saag), I see a smattering of mails in 2011 and 2012 and none in 2013. For the IRTF's CFRG, I see a few in 2010, none in 2011 and some in 2012 and 2013. I do see increased participation over the last year on the the DUAL-EC topic. None of the above is anywhere near highly active which is therefore simply false. Pfff - you are nitpicking. 1. The point that ianG made is clearly understood: He/she is condemning Certicom's, Dan Brown's and Scott Vanstone's attempts to patent the backdoor (to invent and then to patent it). ianG has also tried to raise the dilemma among all of us that are following this list what Dan Brown is doing in IETF? 2. The point that you are doing is also clearly understood: By nitpicking you are trying to clear the amoral actions of Certicom, Dan Brown and and Scott Vanstone. David Jr. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Dual EC backdoor was patented by Certicom?
On 6/15/2014 9:13 AM, ianG wrote: In what is now a long running saga, we have more news on the DUAL_EC backdoor injected into the standards processes. In a rather unusual twist, it appears that Certicom's Dan Brown and Scott Vanstone attempted to patent the backdoor in Dual EC in or around January of 2005. From Tanja Lange DJB: https://projectbullrun.org/dual-ec/patent.html ... It has therefore been identified by the applicant that this method potentially possesses a trapdoor, whereby standardizers or implementers of the algorithm may possess a piece of information with which they can use a single output and an instantiation of the RNG to determine all future states and output of the RNG, thereby completely compromising its security. The provisional patent application also describes ideas of how to make random numbers available to trusted law enforcement agents or other escrow administrators. = This appears to be before ANSI/NIST finished standardising DUAL_EC as a RNG, that is, during the process. What is also curious is that Dan Brown is highly active in the IETF working groups for crypto, adding weight to the claim that the IETF security area is corrupted. Obviously one question arises -- is this a conspiracy between Certicom, NSA and NIST to push out a backdoor? Or is this just the normal incompetent-in-hindsight operations of the military-industrial-standards complex? It's an important if conspiratorial question because we want to document the modus operandi of a spook intervention into a standards process. We'll have to wait for more facts; the participants will simply deny. One curious fact, the NSA recommended *against* a secrecy order for the patent. What I'm more curious about today is Certicom's actions. What is the benefit to society and their customers in patenting a backdoor? How can they benefit in a way that aligns the interests of the Internet with the interests of their customers? Or is this impossible to reconcile? If Certicom is patenting backdoors, the only plausible way I can think of this is that it intends to wield backdoors. Which means spying and hacking. Certicom is now engaged in the business of spying on ... customers? Foreign governments? In contrast, I would have said that Certicom's responsibility as a participant in Internet security is to declare and damn an exploit, not bury it in a submarine patent. If so, what idiot in Certicom's board put it on the path of becoming the Crypto AG of the 21st century? If so, Certicom is now on the international blacklist of shame. Until questions are answered, do no business with them. Certicom have breached the sacred trust of trade -- to operate in the interests of their customers. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography Uh, I'm sorry but this is not the first time we've seen something like this and I seriously doubt it will be the last. Is it wise to point fingers and start using conspiratorial statements? -- Kevin ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] basing conclusions on facts
On 15/06/2014 14:37 pm, Stephen Farrell wrote: I've no public opinion on Certicom's patent practices. And the behaviour of the signals intelligence agencies has been IMO deplorable. So I sympathise with some of what you are saying. However, building your case on bogus claims that are not facts as you are pearly doing is a really bad idea. In particular... On 15/06/14 14:13, ianG wrote: What is also curious is that Dan Brown is highly active in the IETF working groups for crypto, That is not correct as far as I can see. In my local archives, I see one email from him to the TLS list in 2011 and none in 2012. For the security area list (saag), I see a smattering of mails in 2011 and 2012 and none in 2013. For the IRTF's CFRG, I see a few in 2010, none in 2011 and some in 2012 and 2013. I do see increased participation over the last year on the the DUAL-EC topic. None of the above is anywhere near highly active which is therefore simply false. And I don't believe you yourself are sufficiently active to judge whether or not someone else is highly active in the IETF to be honest. Nor do you seem to have gone through the mail list archives to check. For my part, I had seen his name only with respect to IETF WGs. However I admit that I do not follow IETF security WGs closely, so am not qualified to assert highly active. You are right, I am wrong. You are both of course welcome to become highly active if you do want to participate, same as anyone else. adding weight to the claim that the IETF security area is corrupted. And that supposed conclusion, based only on an incorrect claim, is utter nonsense. I would have expected better logic and closer adherence to the facts. Yes, the IETF security area needs to do better, and quite a few folks are working on that. Yes, its almost certain the someone was paid by BULLRUN to muck up IETF work. Nonetheless unfounded misstatements such as the above don't help and are wrong. And the correct reaction is to do better work and not to fall for the same guily-by-association fallacy that the leads the spooks to think that pervasive monitoring is a good plan. I had a long post addressing this issue, but as it takes us further from the subject at hand, I'll pull my head from out of the rabbit hole. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] basing conclusions on facts
On 15/06/14 19:16, ianG wrote: For my part, I had seen his name only with respect to IETF WGs. However I admit that I do not follow IETF security WGs closely, so am not qualified to assert highly active. You are right, I am wrong. Thanks for that refreshing approach! I appreciate it, Cheers, S. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] basing conclusions on facts
At 02:29 PM 6/15/2014, two wrote: On 15/06/14 19:16, ianG wrote: You are right, I am wrong. Stephen Farrell wrote: Thanks for that refreshing approach! This is faith shattering. Somebody is lying, maybe everbody. Ah, Worldwide Elder Abuse Avoidance Day by Obama proclamation: America must lead by example, and my Administration remains dedicated to ending elder abuse, supporting victims, and holding abusers accountable. Under the Affordable Care Act, we enacted the Elder Justice Act. Through this law, the Federal Government has invested in identifying, responding to, and preventing elder abuse, neglect, and exploitation. Because eliminating this pervasive crime requires coordinated action, we are bringing together Federal agencies; non-profit and private sector partners; and State, local, and tribal governments. Together, we can build a more responsive criminal justice system, give seniors the tools to avoid financial scams, and determine the best ways to prevent elder abuse before it starts. Seniors have provided for their families, risen to the challenges of their times, and built ladders of opportunity for future generations. Many have served our Nation with honor. After decades of hard work, they have earned the right to enjoy their retirement years with a basic sense of security. Today, let us join with partners around the globe in declaring that we will not fail the men and women who raised us, sacrificed for us, and shaped our world. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Dual EC backdoor was patented by Certicom?
Dear Thierry, I looked at the primary documents in the USPTO databases. The part that is missing from the US patent 8,369,213 (i.e. missing from the original filing and the European patent I suppose) is now in the pending patent application US-2013-0170642-a1. No. That one contains other mechanisms of escrow avoidance. Citing myself here Interestingly, the claims in the new application [13770533.pdf pages 51–55] do not actually cover Dual EC exploitation: they are for other mechanisms of Dual EC escrow avoidance. However, Certicom is still free to file further claims for Dual EC exploitation, retaining the original 21 January 2005 priority date. As of February 2014, the new application is under examination. It was published on 4 July 2013 as publication US 2013/0170642. https://projectbullrun.org/dual-ec/patent.html Are these inventors claiming to have *invented* the backdoor in this PRNG method? At least an USPTO examiner hints at this: [claims now in US-2013-0170642-A1] are drawn to establish escrow key with elliptical curve random number generator. The inventors *describe* the escrow technique but need not *claim* it. Their claims only cover _usage_ of the back door and avoidance of the back door, they do not claim to have invented the back door. Note also that the earliest (USA) filing date is 2005/01/21 as a provisional US patent application number 60/644982. In contrast, I would have said that Certicom's responsibility as a participant in Internet security is to declare and damn an exploit, not bury it in a submarine patent. Technically, this is not a submarine patent. The publication date is 2007/08/16 (soon after the international-treaty-based 18 months delay after the filing date applicable to the non-USA patent jurisdictions) and anyone could have access to this information by then. Note that the publication date of the international application (verbatim the same) was 2006/07/27. Tanja ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography