Comment by codeflo
2 years ago
That's more of a diary than an article -- jargony, disorganized, running in circles, very hard to follow. But the information might be important regardless. There's a strong implication that NIST with help of the NSA intentionally standardized on a weak algorithm.
We all know that's possible.
But can someone who follows some of this stuff more closely explain what the play would be? I always assumed that weakening public cryptography in such a way is a risky bet, because you can't be sure that an attacker doesn't independently find out what you know. You can keep a secret backdoor key (that was the accusation when they released Dual_EC_DRBG), but you can't really hide mathematical results.
Why would they be willing to risk that here?
Why the overwhelming benefit of the doubt in an organization that has repeatedly failed expectations? I don't understand why this is even a conversation. We don't need them any more. Export restrictions are gone. What we need is a consortium to capture the attention of the hardware vendors and limit NIST and the NSA to participant status. Then if the government decides to adopt their backdoored standards, they're the only ones.
You're making an assumption that the NSA cares about the efficacy of cryptography for other people. Why would they care about that?
Because the NSA has equally well funded adversaries that would love to find a back door to the NIST standards the whole of the US government uses. Even if the highest levels of the military and government use secret squirrel super cryptography the rest is using NIST standards. It's all the boring parts of government that deposits paychecks and runs the badge readers to their offices.
> You're making an assumption that the NSA cares about the efficacy of cryptography for other people. Why would they care about that?
Hypothesis 1: because the NSA sees evidence that more efficient cryptographic algorithms are easier to crack for them.
To give some weak evidence for this: if you need brute force to crack the cipher (or hash function), a more efficient algorithm need less computation power to crack.
Hypothesis 2: A more efficient algorithm is likely to become applied in more areas than a less efficient one (think of smartcards or microcontrollers). So if the NSA finds a weakness or is capable of introducing a backdoor in it, it can decrypt a lot more data from more areas.
it's in the national security interest of the United States to have its industries use high-quality crypto
see: colonial oil pipeline hack
It's in the national security interest of the United States to have its industries use robust security practices.
Industries with secure fences that are regularly patrolled are entirely different to industries with partial coverage by unpatrolled rusty fences and a freestanding door frame that has a titanium unpickable lock.
Passwords get compromised that's a fact.
How the single employee password that got breached was obtained is still (AFAIK) a mystery - but this will always happen ... given many employess, at least one will eventually make a mistake.
After that, the VPN had no multifactor authentication, the network had no internal honey subnets, canary accounts, sanity checks, etc.
High-quality crypto alone does not make for secure systems.
And systems can be secure with lower quality crypto if the systems are robust.
I feel that examples argues the opposite.
It's not entirely known how every step of that attack went down, but "breaking low quality crypto" hasn't factored into any incident write up I've ever seen.
However, nearly all ransomware uses rsa. Therefore in this particular case, high quality crypto caused harm.
(To state the obvious, I'm not advocating for bad crypto, just discussing this case).
> Why would they be willing to risk that here?
Certain types of attacks basically make it so you need to have a specific private key to act as a backdoor. That's the current guess on what may be happening with the NIST ECC curves.
If so, this can be effectively a US-only backdoor for a long, long time.
I don't believe that is anybody's guess on what may be happening with the NIST ECC curves. Ordinarily, when people on HN say things like this, they're confusing Dual EC, a public key random number generator, known to be backdoored, with the NIST curve standards.
The issue with the NIST curves is that they were generated from a PRNG with some kind of completely random seed. The conspiracy theory there is that the seed was selected such as to make the curve exploitable for NSA and NSA only. Choosing such a seed is somewhat harder than complete break of the hash function (IIRC SHA-2) used in the PRNG that was used to derive the curve.
On the other hand, there is a lot of reasons to use elliptic curve that was intentionally designed, so, DJB's designs. And well, in 2009 I would not imagine that the kinds of stuff that DJB publishes will end up being TLS1.3.
7 replies →
Yeah I've noticed people mixing them up. They happened around the same time, so I can excuse it a bit.
The problem with the NIST ECC curves are that we still do not know where the heck that seed came from and why that seed specifically.
1 reply →
Also: if the NIST ECC curves actually are backdoored then why would the NSA need to try to push a backdoored random number generator? Just exploit the already-backdoored curves.
1 reply →
No, it’s really not. Ask Neal Koblitz.
NSA weakened DES from 64-bit keys to 56-bit keys. The idea was that they could be ahead in breaking it, and that by the time 56-bit keys were too weak in general then something else would replace DES. Risky? Yes, but it worked out, for some value of "worked out". So I wouldn't assume something like that wouldn't happen again.
They did that openly. What they did in secret was to harden it against an incredibly powerful attack (it's still a basis for block and hash cryptanalysis today) that nobody else knew about.
The general idea would be that they get a few years out of it before other nation/state factions discover it. The theory behind it is called “kleptography”, because the NSA is deluded enough to think that you can steal information “securely”.
It's all far too conspiratorial for me. Just show me the math as to why it's broken, I don't need a conspiratorial mind map drawing speculative lines between various topics. Do an appendix or two for that.
There's nothing conspiratorial about the post, why not read the article? The math error is described in line 2, the actual error about two screens down, highlighted in red.