Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]

Adam Back <> Fri, 27 December 2013 19:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6EAB51AE25E for <>; Fri, 27 Dec 2013 11:48:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.146
X-Spam-Status: No, score=0.146 tagged_above=-999 required=5 tests=[BAYES_50=0.8, GB_I_LETTER=-2, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EMlMuTzvJKJW for <>; Fri, 27 Dec 2013 11:48:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9F3E11AE03D for <>; Fri, 27 Dec 2013 11:48:02 -0800 (PST)
Received: from netbook ( []) by (node=mrus4) with ESMTP (Nemesis) id 0MBW50-1VnKF60mco-00A3Mw; Fri, 27 Dec 2013 14:47:55 -0500
Received: by netbook (Postfix, from userid 1000) id 609042E283A; Fri, 27 Dec 2013 20:47:48 +0100 (CET)
Received: by flare (hashcash-sendmail, from uid 1000); Fri, 27 Dec 2013 20:47:46 +0100
Date: Fri, 27 Dec 2013 20:47:45 +0100
From: Adam Back <>
To: Santosh Chokhani <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Hashcash: 0000000000000000000000001JnK
X-Hashcash: 0000000000000000000000000/yp
X-Hashcash: 0000000000000000000000000o6V
X-Provags-ID: V02:K0:kBtIHDKPu7zEGCtuelKm7pwdXxndyynh5QqV2QzEApa RA1POfSY6fGbtC/b62pQT8j8A9eqiLWG0MnQPLK5n5z3YSacEt AXg9EQrxr/4/hn5TR4lCcD223TP3fK1oVsF5XTEPi2/ntHiF2Z D0U7LVsoh3vIHRmX85fNvTLbAJcP+UtRRWP5gi6yDr3Tb2yMZI 0064UaQGU644sGIgulvO4s+qfMAvnNI33XbtZJtSk8s5MD/eXl 5QpEUOJmkAok7rwzptgXyN1nbCX8A2ux7qv0olcKS81tYzXPaf 4x8TSRP0AzWYVIyw8dN+iXmX8kHkwck4kRfUCajDPJFqlWNOve p8Jxbrw+7S7oTIZwHTS5KytXQ3Fj82AO9ozp5irRZ
Cc: Dan Brown <>, Adam Back <>, "''" <>
Subject: Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Dec 2013 19:48:04 -0000

I think I stayed extremely far away from anything conspiratorial, and I
remind you to please keep your responses civil.

To counter your unfounded attack, now I have to explain, I quoted Dan Brown
who said in the mail I was replying to:

> 5. Either CMVP or CAVP (I forget which) insisted on the default P and Q. 
> But the stated purpose of these validation programs, IIRC, is only to
> protect communication with USG/CAG, in which the user is already trusting
> these entities extensively.  I'm not aware of any promises to protect
> non-USG communication in the CMVP or CAVP.

I do actually have multiple first hand experiences working with
certification labs, one of them may even have been cygnacom (I forget, was
some time ago but it rings a bell).  Anyway take up your complaint with Dan
who claimed the above (offlist if you like).  All I could say first hand is
the evaluation process is typically a documentation/tracing exercise
following the letter of the relevant standards and validation procedures. 
If a lab interpreted EC_DRBG spec as requiring that specific P & Q to be
used, that could be a neutral action (or not).  Its imposible to say.

It would not be the first time at least that for procedural reasons lab
decisions have actually hindered product security from what I've heard.  The
labs job is to certify adherence to a documented standard, not to help the
company make a secure product.  Sometimes standards inflexibility conflicts
with product security.  Often you can work around it - get certification and
make a secure product.  Certification is still a useful minimum bar and
accrediation process.

If you work for cygnacom in this area, I'm sure you've come across such
conflicts yourself.


On Fri, Dec 27, 2013 at 07:15:03PM +0000, Santosh Chokhani wrote:
>Validation labs do not get or want money for backdoors.
>So, either quit your conspiratorial nonsense or take it to Hollywood,
>-----Original Message-----
>From: Cfrg [] On Behalf Of Adam Back
>Sent: Friday, December 27, 2013 2:09 PM
>To: Dan Brown
>Cc: Adam Back; ''
>Subject: Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]
>Dan Brown wrote:
>> [...]
>> 8. All considered, I don't see how the ANSI and NIST standards for
>> Dual_EC_DRBG can be viewed as a subverted standard, per se.
>Of course they're subverted.  We have Ferguson et al show how they could be backdoored.  We have internal NSA documents reported as talking about the subversion.  We have confirmation of RSA (inadvertently or not) accepting money to put a EC_DRBG as a default.  You yourself just said the validation labs are demanding the backdoored P & Q be used (and rejecting the provably uncooked implemented chosen parameters presumably).  NIST put the standard forward (inadvertently or not) from NSA input.
>I am non-plussed at what you could be trying to say with the above statement.
>Cfrg mailing list