It should probably be noted that this is not some sort of validation to the fact that "the NSA owns this particular DRBG".
Surprisingly (to me), this is merely a signal of a government agency that takes public perception to heart and issues a vote of not-complete-confidence in standards it has previous prescribed, and today is seeking to rectify the problem by looking for nothing up my sleeve numbers [0] agreed upon by security researchers and the public at large. A smart move, no doubt a difficult one to make, as even the slightest suggestion of no-confidence in a prescribed standard is quite damaging to the reputation of an institution devoted to maintaining reliable standards.
Somewhat off topic, but it seems like it would be better to use some future unpredictable events to really remove any "nothing up my sleeve" doubt. e.x. hash of the sum of all S&P 500 companies' closing stock prices on a specific future date.
The variety of "nothing up my sleeve" numbers listed in Wikipedia suggests that the NSA could brute force a "nothing up my sleeve" source backtracked from a vulnerable number they wanted to use.
> It should probably be noted that this is not some sort of validation to the fact that "the NSA owns this particular DRBG".
It sounds like the NYT is convinced. The caption under the header picture reads:
"As part of its efforts to foil Web encryption, the National Security Agency inserted a backdoor into a 2006 security standard adopted by the National Institute of Science and Technology, the federal agency charged with recommending cybersecurity standards."
I doubt the NIST will ever be trusted again as any standards or specs they are in favor of will be immediately suspected of having some favorable vulnerability for the NSA.
Let's say they hold a contest for people to submit next generation cryptosystems, and that Algorithms A,B, and C make it to the final. If the NIST publishes critical remarks on A and C and seems to favor B, immediate skepticism and red flags will be raised. Does B have a hidden weakness the NSA knows about?
A standards organization can only run on its transparency and integrity.
First, a lot of NIST crypto standards are relatively anodyne; for instance, the NIST GCM standard basically just explains how to do multiplication in GF(2^128), and the NIST CTR mode standard just lays out a bunch of ways you can arrange your counter block. Those standards remain valuable and aren't likely to harbor backdoors.
Second, it has always been the case that favorable responses from the USG in general and NSA in particular have cast a pall over proposed standards. Isn't that why there's a RIPEMD160, for instance?
I believe we will see a rise in credibility of foreign (for Americans) standard bodies. It could be Germany (would it be BSI?) or other country. I know for example Redhat had been getting their Common Criteria cert (needed to easier sell their systems to some government agencies) from Germany's BSI, but it was because of red tape not credibility.
I believe similar things will happen with other standards, products and services related to security. It will be beneficial to advertise that it was some other rather agencies that certified the product/stand besides NIST. Or that somehow this service or product is better because we know NSA didn't stick its fingers in the pie. Kind of a negative advertisement. A real shame. This will hurt American companies (including jobs, taxes) quite a bit.
As a rule of thumb I would recommend that no government agency be trusted about any projects they develop. Everyone would be better off {blank stare} Beyond that, there really needs to be more focus on open-source and public code review with an industry funded focus group that takes on reviewing core elements of technology and the internet down to the atomic level.
The chances are that if there are flaws and deliberate corruption to be discovered, it is to be discovered now. Not every line of code needs reviewing at all times, whole projects need periodic, thorough review.
Can I just say, I wish someone at some kind of reputable journal would calculate the damage and cost of what our government has done. It goes far beyond the obvious costs, by affecting things like, e.g., Apple's new, excellently timed iPhone 5S Touch ID feature, which will surely not go over well with consumers, especially globally. The US Government has now taken a pipe to the shins of most valuable company on the globe; all because our psychopaths in charge aspire to being despotic authoritarians that have to control everything in order to prevent discovery of their incompetence.
> Dual_EC_DRBG or Dual Elliptic Curve Deterministic Random Bit Generator is a controversial pseudorandom number generator (PRNG) designed and published by the National Security Agency. [...] Shortly after the NIST publication, it was suggested that the RNG could be a kleptographic NSA backdoor.
It's an awfully weird trojan horse --- or, as Daniel Franke put it on Twitter, a trojan platypus.
First: NIST RNG designs aren't particularly important (unlike the curve standards); there is a broad diversity of CSPRNG designs, applications tend to "borrow" the OS's, and no OS I know of uses a design taken directly from NIST.
Second: Dual EC DRBG is a CSPRNG that uses elliptic curve point multiplications; in other words, it requires bignum math. If you're unfamiliar with CSPRNG design: that's not a normal requirement. Dual EC is very slow. Nobody would willingly use it.
Why would that be the big NSA standard back door? I'm not saying it isn't. Something hinky happened there. I'm just asking: what did they have to gain from trying to backdoor that standard?
Which seems to be confirmed by Snowden's leaks, according to the NYT article from earlier this week.
> Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort "a challenge in finesse."
For those curious (as I was) as to what the heck that title means, the press release linked deals with The National Institute of Standards and Technology (NIST) and what kind of random number generators (RNGs) they recommend using.
[+] [-] lmgftp|12 years ago|reply
Surprisingly (to me), this is merely a signal of a government agency that takes public perception to heart and issues a vote of not-complete-confidence in standards it has previous prescribed, and today is seeking to rectify the problem by looking for nothing up my sleeve numbers [0] agreed upon by security researchers and the public at large. A smart move, no doubt a difficult one to make, as even the slightest suggestion of no-confidence in a prescribed standard is quite damaging to the reputation of an institution devoted to maintaining reliable standards.
More info on nothing-up-my-sleeve: [0] http://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number
[+] [-] semenko|12 years ago|reply
(Perlroth quotes from a few unpublished, leaked memos.)
[+] [-] tlrobinson|12 years ago|reply
[+] [-] cpeterso|12 years ago|reply
[+] [-] jlgaddis|12 years ago|reply
It sounds like the NYT is convinced. The caption under the header picture reads:
"As part of its efforts to foil Web encryption, the National Security Agency inserted a backdoor into a 2006 security standard adopted by the National Institute of Science and Technology, the federal agency charged with recommending cybersecurity standards."
[+] [-] cromwellian|12 years ago|reply
Let's say they hold a contest for people to submit next generation cryptosystems, and that Algorithms A,B, and C make it to the final. If the NIST publishes critical remarks on A and C and seems to favor B, immediate skepticism and red flags will be raised. Does B have a hidden weakness the NSA knows about?
A standards organization can only run on its transparency and integrity.
[+] [-] tptacek|12 years ago|reply
Second, it has always been the case that favorable responses from the USG in general and NSA in particular have cast a pall over proposed standards. Isn't that why there's a RIPEMD160, for instance?
[+] [-] rdtsc|12 years ago|reply
I believe we will see a rise in credibility of foreign (for Americans) standard bodies. It could be Germany (would it be BSI?) or other country. I know for example Redhat had been getting their Common Criteria cert (needed to easier sell their systems to some government agencies) from Germany's BSI, but it was because of red tape not credibility.
http://investors.redhat.com/releasedetail.cfm?ReleaseID=7168...
I believe similar things will happen with other standards, products and services related to security. It will be beneficial to advertise that it was some other rather agencies that certified the product/stand besides NIST. Or that somehow this service or product is better because we know NSA didn't stick its fingers in the pie. Kind of a negative advertisement. A real shame. This will hurt American companies (including jobs, taxes) quite a bit.
[+] [-] wahsd|12 years ago|reply
The chances are that if there are flaws and deliberate corruption to be discovered, it is to be discovered now. Not every line of code needs reviewing at all times, whole projects need periodic, thorough review.
Can I just say, I wish someone at some kind of reputable journal would calculate the damage and cost of what our government has done. It goes far beyond the obvious costs, by affecting things like, e.g., Apple's new, excellently timed iPhone 5S Touch ID feature, which will surely not go over well with consumers, especially globally. The US Government has now taken a pipe to the shins of most valuable company on the globe; all because our psychopaths in charge aspire to being despotic authoritarians that have to control everything in order to prevent discovery of their incompetence.
[+] [-] lifthrasiir|12 years ago|reply
> Dual_EC_DRBG or Dual Elliptic Curve Deterministic Random Bit Generator is a controversial pseudorandom number generator (PRNG) designed and published by the National Security Agency. [...] Shortly after the NIST publication, it was suggested that the RNG could be a kleptographic NSA backdoor.
[+] [-] tptacek|12 years ago|reply
First: NIST RNG designs aren't particularly important (unlike the curve standards); there is a broad diversity of CSPRNG designs, applications tend to "borrow" the OS's, and no OS I know of uses a design taken directly from NIST.
Second: Dual EC DRBG is a CSPRNG that uses elliptic curve point multiplications; in other words, it requires bignum math. If you're unfamiliar with CSPRNG design: that's not a normal requirement. Dual EC is very slow. Nobody would willingly use it.
Why would that be the big NSA standard back door? I'm not saying it isn't. Something hinky happened there. I'm just asking: what did they have to gain from trying to backdoor that standard?
[+] [-] clarkm|12 years ago|reply
> Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members. Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort "a challenge in finesse."
Bottom of page 3: http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet...
[+] [-] pdknsk|12 years ago|reply
https://news.ycombinator.com/item?id=6364340
Or to provide minimum context, the announcement should've been submitted instead.
http://nist.gov/director/cybersecuritystatement-091013.cfm
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] Wingman4l7|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] seldo|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] brokenparser|12 years ago|reply
[+] [-] marshray|12 years ago|reply
[+] [-] mpyne|12 years ago|reply