I'm open to the concept that the NSA was trying to sabotage standards by proposing useless extensions to them but I doubt that many people would have ever used something like this aside from them. I don't really see how adding extra random values that are hashed can cause harm.
Conversation
For simplicity, assume the CSPRNG for it is insecure. It could even be a totally insecure PRNG like XorShift. It could return zeroed values every single time. Does it matter, with how the standard proposes using it?
I'll happily call it useless cargo cult nonsense, but backdoor?
1
1
2
This is the same way the Linux kernel adds entropy from untrusted sources. An attacker can overwrite this data so the standard might as well be calling these fields attacker_input and extended_attacker_input. I don't understand why they even have the original non-extended one.
1
1
It only matters (negatively) for security if you happen to have a PRNG where a certain number of consecutive PRNG bytes *must* be placed on the wire for the backdoor to be effective.
The only such PRNG is Dual EC. The only crypto library that useD DualEC by default is RSA BSAFE.
1
5
There is exactly one library in the known universe that implemented both Dual EC and Extended Random. That’s RSA BSAFE.
1
5
You might ask how a weird and unnecessary randomness extension got rejected by the IETF but still wound up included in one of the most important commercial crypto libraries of the 2000s, one that also uses Dual EC by default. Reuters had some thoughts. google.com/amp/s/mobile.r
1
5
Is this proof? No. It’s just lots and lots of coincidences all leading to the same result in a very short span of time. 🤷♀️
1
2
I don't understand is why they would take such a complicated approach focused on trying to backdoor cryptography primarily intended for use by the US government rather than others. No one in their right mind is using FIPS, etc. unless forced to do it for that.
1
1
I thought it was farfetched too. And then I found out that *every* product that used RSA BSAFE, the most popular crypto library of that time period, had exploitable Dual EC enabled by default.
I also found out that every Juniper NetScreen firewall sold after ‘08 did too.
2
4
I'm just a lot more inclined to believe they're severely incompetent and ended up pushing sketchy cryptography primarily for usage by the US government and US government contractors while damaging the reputation of US companies and their own.
2
1
Regardless of their motivation they damaged the reputation, economy and national security of the US while burning tons of money as usual. I'm pretty skeptical about their ability to keep something of this scale secret, at least if the people doing it understood the purpose of it.
They didn’t keep it secret. A guy named Snowden leaked most of the details. All we’re doing is trying to tie up a few loose ends.
1
2
Not saying that they haven't subverted cryptography but rather this seems overly elaborate along with it being openly tied to them from the start and primarily aimed at US government / contractor usage. I'm more inclined to believe they'd sneak a backdoor into OpenSSL than this.
2
1
Show replies