On Sat, Dec 21, 2013 at 8:05 PM, Mike Wright <[email protected]>wrote:
> 've been trying to find out if the versions of openssl shipped by fedora > use the "Dual Elliptical Curve" encryption method that RSA so politely (for > a tidy $um) made default at the request of the US's NSA. That is the > encryption method with the NSA's very own backdoor. > > If so, has it been corrected? Is openssl even safe to use anymore? What > about previous versions of fedora? > > From http://arstechnica.com/security/2013/12/report-nsa-paid-rsa-to-make-flawed-crypto-algorithm-the-default/ The Dual_EC_DRBG algorithm is included in the NIST-approved crypto standard SP 800-90 and has been viewed with suspicion since shortly after its inclusion in the 2006 specification. In 2007, researchers from Microsoft showed that the algorithm could be backdoored: if certain relationships between numbers included within the algorithm were known to an attacker, then that attacker could predict all the numbers generated by the algorithm. These suspicions of backdooring seemed to be confirmed this September with the news that the National Security Agency had worked to undermine crypto standards<http://arstechnica.com/security/2013/09/the-nsas-work-to-make-crypto-worse-and-better/>. The impact of this backdooring seemed low. The 2007 research, combined with Dual_EC_DRBG's poor performance, meant that the algorithm was largely ignored. Most software didn't implement it, and the software that did generally didn't use it. Other commentators say pretty much the same thing. The Dual_EC_DRBG algorithm was viewed with suspicion from the start, and besides was very slow, so most crypto software doesn't implement it. An exception is RSA's own Bsafe product, but as that's nonfree it wouldn't be part of Fedora anyway. It would nevertheless be good to have a statement about this from a Fedora authority. poc
-- users mailing list [email protected] To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
