the crypto backdoor

Best write-up I’ve seen so far on the cryptographic backdoor–assuming it was an intentional backdoor, which is probable but not proven.

Note that it took six years to go from this:

Dan Shumow and his Microsoft colleague Niels Ferguson titled theirs, provocatively, “On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng.” It was a title only a crypto geek would love or get.

To this:

Early this month the New York Times drew a connection between their talk and memos leaked by Edward Snowden, classified Top Secret, that apparently confirms that the weakness in the standard and so-called Dual_EC_DRBG algorithm was indeed a backdoor.

It’s disputed that this was a purposeful backdoor, as opposed to just bad design. Prior to public release of documents that detail the NSA’s shenanigans, I would have blamed poor design over purposeful sabotage. Now, in my view, it’s just naive to assume this was an accident. The broken random number generation of EC means that any cryptosystem that relies on it is effectively broken, no matter how well the other aspects of the system are implemented. It’s unlikely the NSA would make such a mistake, and then fail to correct it year’s later. My hunch is that this is exactly what they wanted. A system broken at the foundation; no matter how well the house atop the foundation is built, the NSA can always knock it down if need be. Secure enough to withstand amateur attacks, but crackable enough for the NSA, or any other well-funded or determined assailant.

This is why it’s sabotage. Not only can the NSA break it, but so can anyone else, provided the resources.

Some good news: Senators to introduce reform bill. Some caution though, as we’ve seen this before and there’s always a possibility for the final bill to be watered down. And of course the NSA could just ignore the bill, find loopholes, etc.

More good news: Google Chrome to take more aggressive steps regarding the security of certificates. Recall that that NSA has forged these sorts of certificates, used to authenticate web sites/servers in SSL/TLS sessions, as well as secure the communication to/from those servers.

Advertisements
This entry was posted in Uncategorized and tagged , , , , , , , . Bookmark the permalink.

One Response to the crypto backdoor

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s