Comment by woodruffw
3 years ago
Dual_EC keeps getting brought up, but I have to ask: does anybody have any real evidence that it was widely deployed? My recollection is that it basically didn't appear anywhere outside of a handful of not-widely-used FIPS-certified libraries, and wasn't even the default in any of them except RSA's BSAFE.
The closest thing we have to evidence that Dual_EC was exploited in the wild seems to be a bunch of circumstantial evidence around its role in the OPM hack which, if true, is much more of a "self own" than anything else.
It was widely deployed. NSA got it into BSAFE, which I would have said "nobody uses BSAFE, it's not 1996 anymore", but it turned out a bunch of closed-source old-school hardware products were using BSAFE. The most notable BSAFE victims were Juniper/Netscreen.
Everybody who claimed Dual EC was a backdoor was right, and that backdoor was materially relevant to our industry. I couldn't believe something as dumb as Dual EC was a real backdoor; it seemed like such idiotic tradecraft. But the belief that Dual EC was so bad as tradecraft that it couldn't be real was, apparently, part of the tradecraft! Bernstein is right about that (even if he came to the conclusion at basically the same time as everyone else --- like, the instant you find out Juniper/Netscreen is using Dual EC, the jig is up).
I don't think Juniper used BSAFE in ScreenOS -- they seem to have put together their own Dual EC implementation on top of OpenSSL, sometime around 2008. (This doesn't change your point, of course.)
Yeah, I think you're right; the Juniper revelation also happened months after the BULLRUN stuff --- I remember being upset about how Greenwald and his crew had hidden all the Snowden docs in a SCIF to "carefully review them", with the net result that we went many months without knowing that one of the most popular VPN appliances was backdoored.
Thanks. I suppose I live a charmed life for thinking that nobody was using BSAFE :-)
I promise you, I know the feeling.
Not Dual EC, but ECDSA is used (by law) in EU smart tachograph systems for signing data.
ECDSA is almost universally used. It's deeply suboptimal in a variety of ways. But that's because it was designed in the 1990s, not because it's backdoored. This isn't a new line of argumentation for Bernstein; he has also implied that AES is Rijndael specifically because it was so commonly implemented with secret-dependent lookups (S-boxes, in the parlance); he's counting on a lay audience not knowing the distinction between an engineering principle mostly unknown at the time something was designed, and a literal backdoor.
What's annoying is that he's usually right, and sometimes even right in important new ways. But he runs the ball way past the end zone. Almost everybody in the field agrees with the core things he's saying, but almost nobody wants to get on board with his wild-eyed theories of how the suboptimal status quo is actually a product of the Lizard People.
Is he claiming that it is a literal backdoor though? Couldn't Bernstein have a point that the NIST picked Rijndael as the winner of the AES competition because the way it was usually implemented was susceptible to timing attacks? Even if it the engineering principle was mostly unknown at the time, one might guess that e.g. NSA was aware of it and may have provided some helpful feedback.
> he's counting on a lay audience not knowing the distinction between an engineering principle mostly unknown at the time something was designed, and a literal backdoor.
When you discount his theories with that argument, your own reductio ad Lizardum (?) doesn’t help. There’s a world of distinction between NSA inserting backdoors, for which there’s good evidence but maybe not every time, and whatever you’re trying to paint his theory as by invoking the Lizard People.
1 reply →
I don't care about his theories. What matters that US export controls on encryption were reduced due to his previous lawsuit and he has offered alternative encryption in the public domain.