Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]

Dan Brown <dbrown@certicom.com> Fri, 27 December 2013 20:44 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65D651AE500 for <cfrg@ietfa.amsl.com>; Fri, 27 Dec 2013 12:44:17 -0800 (PST)
X-Quarantine-ID: <9vEM4yh43jP8>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "MIME-Version"
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_12=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vEM4yh43jP8 for <cfrg@ietfa.amsl.com>; Fri, 27 Dec 2013 12:44:15 -0800 (PST)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id 638D31AE4FF for <cfrg@irtf.org>; Fri, 27 Dec 2013 12:44:14 -0800 (PST)
Content-Type: multipart/mixed; boundary="===============0685656716=="
MIME-Version: 1.0
Received: from xct108cnc.rim.net ([10.65.161.208]) by mhs215cnc.rim.net with ESMTP/TLS/AES128-SHA; 27 Dec 2013 15:43:58 -0500
Received: from XCT109CNC.rim.net (10.65.161.209) by XCT108CNC.rim.net (10.65.161.208) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 27 Dec 2013 15:43:57 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT109CNC.rim.net ([::1]) with mapi id 14.03.0123.003; Fri, 27 Dec 2013 15:43:57 -0500
From: Dan Brown <dbrown@certicom.com>
To: "'adam@cypherspace.org'" <adam@cypherspace.org>
Thread-Topic: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]
Thread-Index: AQHPAzcmHrjTGfNekU+rGMVAFLoNyJpod74g
Date: Fri, 27 Dec 2013 20:43:56 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5C187DC@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5C18718@XMB116CNC.rim.net> <20131227190907.GA23840@netbook.cypherspace.org>
In-Reply-To: <20131227190907.GA23840@netbook.cypherspace.org>
Accept-Language: en-CA, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
MIME-Version: 1.0
Cc: "'cfrg@irtf.org'" <cfrg@irtf.org>
Subject: Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2013 20:44:17 -0000

> -----Original Message-----
> From: Adam Back [mailto:adam@cypherspace.org]
> Sent: Friday, December 27, 2013 2:09 PM
> 
> Dan Brown wrote:
> > [...]
> > 8. All considered, I don't see how the ANSI and NIST standards for
> > Dual_EC_DRBG can be viewed as a subverted standard, per se.
> 
> Of course they're subverted.   

> We have Ferguson et al show how they could
> be backdoored.  
 
Repeating myself, nobody showed how the alternative P&Q could be backdoored.

 
In other words, even if subversion were attempted, it was effectively caught
and thwarted, at least in 800-90A and X9.82-3, by two things: (a) the
alternative points, and (b) the highly publicized potential backdoor.  Of
course, (b) is outside the standard, which is why I referred to naïve and
malicious implmenters.

Arguably, the specs do not do enough to warn naïve implementers of the
backdoor.  So, I went back to look at SP 800-90A.

Section 10.3.1, first paragraph states that Dual_EC_DRBG depends on it hard
to find a such that Q=aP.  On the same page, Figure 13 outlines the
Dual_EC_DRBG, using the same notation P and Q.

So, even if a naïve implementer hadn't heard of Ferguson et al., these two
parts of the spec together spell out to the implementer the need to ensure
that a is secret, no?

In other words, the specs are fairly clear to a thorough implementer.  

I admit that the specs could be made even clearer: they could have said that
there is a potential "backdoor".  

I would even want them to clearer. 

> We have internal NSA documents reported as talking about
> the subversion.  
 
Reported, yes.  But AFAIK, not published.

> We have confirmation of RSA (inadvertently or not)
> accepting money to put a EC_DRBG as a default.  

My conclusion was regarding the standards, per se, not about
implementations. I was not drawing any conclusions about implementations.

> You yourself just said the
> validation labs are demanding the backdoored P & Q be used (and rejecting
> the provably uncooked implemented chosen parameters presumably).  

 Yes, I should clarify, I was referring to the NIST SP 800 90A and ANSI
X9.82-4 as not being subverted.  I am only vaguely familiar with CAVP and
CMVP, and was not drawing any conclusions about them.  Aside: I do not deals
with labs personally, so have nothing to say about them.

> NIST
> put the standard forward (inadvertently or not) from NSA input.

Hmm, I'm biased towards to mainly looking at documents in a context-free
manner: i.e. what they say, not who is saying it.  The way I read the specs,
nothing is being is hidden.  
 
> I am non-plussed at what you could be trying to say with the above
> statement.
 
Hope my response helps you.  

I am anticipating it is too narrow.

I am a bit perplexed too: I see many statements about Dual_EC_DRBG that seem
too broad.  


---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.