Conversation

Tonight is the night when a whole group of unrelated people suddenly and in apparent coordination decide to blame Extended Random on Eric Rescorla, an uncleared contractor hired by the NSA to facilitate its introduction to IETF. Fascinating! twitter.com/DanielMicay/st

This Tweet is unavailable.

Replying to

I don't think we should be going after either of these people or blaming them for anything. It's a very clear misrepresentation of what I said. Please don't accuse me of something that I clearly didn't do. Thanks.

Replying to

Calling the contractor out by name and job position is an awfully strange way of realizing that ideal.

Replying to

and

Guys can you please get off each others' throats? 😊 As you noted in open of thread there's a natural discomfort in making the callout and it's ok to disagree over whether it's justified.

Replying to

and

That's my issue with it. I don't feel that the evidence is there for this accusation to be fair. I also actually went ahead and read tools.ietf.org/html/draft-res based on the post and I don't see how this standard could be used as a backdoor. It just looks like useless bloat to me.

Replying to

and

I'm open to the concept that the NSA was trying to sabotage standards by proposing useless extensions to them but I doubt that many people would have ever used something like this aside from them. I don't really see how adding extra random values that are hashed can cause harm.

Replying to

and

For simplicity, assume the CSPRNG for it is insecure. It could even be a totally insecure PRNG like XorShift. It could return zeroed values every single time. Does it matter, with how the standard proposes using it? I'll happily call it useless cargo cult nonsense, but backdoor?

Replying to

and

This is the same way the Linux kernel adds entropy from untrusted sources. An attacker can overwrite this data so the standard might as well be calling these fields attacker_input and extended_attacker_input. I don't understand why they even have the original non-extended one.

2:01 AM · Feb 6, 2021Twitter Web App

Replying to

and

It only matters (negatively) for security if you happen to have a PRNG where a certain number of consecutive PRNG bytes *must* be placed on the wire for the backdoor to be effective. The only such PRNG is Dual EC. The only crypto library that useD DualEC by default is RSA BSAFE.

Replying to

and

There is exactly one library in the known universe that implemented both Dual EC and Extended Random. That’s RSA BSAFE.

Show replies