BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Encrypt Everything?

Subject: [Discuss] Encrypt Everything?
From: richard.pieri at gmail.com (Richard Pieri)
Date: Thu, 12 Sep 2013 22:33:51 -0400
In-reply-to: <c7dd9e50be534224be023abec9aaa500@BLUPR04MB040.namprd04.prod.outlook.com>
References: <52290E96.6020107@gmail.com> <CAB5XZgYF0a8NRsmOrxZBJkY=6c017n7M0me2wHqx92WDpBpmBA@mail.gmail.com> <9bb20a04f4674e929ac6e4a44cbb2d94@BLUPR04MB040.namprd04.prod.outlook.com> <5231A60B.1090706@blu.org> <23304e0b24b34f81822445b35080f3fd@BLUPR04MB040.namprd04.prod.outlook.com> <0abc593bc3398b0769b64509e0bd84cc.squirrel@mail.mohawksoft.com> <c7dd9e50be534224be023abec9aaa500@BLUPR04MB040.namprd04.prod.outlook.com>

Edward Ned Harvey (blu) wrote:
> True, the NSA sabotaged some RNG algorithms in NIST, but those were
> discovered and exposed by peer community review before any widespread
> adoption.  That's the point of a public open competition.

NIST Special Publication 800-90 from March 2007. That's where 
Dual_EC_DRBG is presented as a federal standard.

Now go peruse this:
http://www.openssl.org/docs/fips/SecurityPolicy-2.0.pdf
which describes the Dual_EC_DRBG implementation in OpenSSL as part of 
the FIPS 140-2 certification.

And this:
http://rump2007.cr.yp.to/15-shumow.pdf
which describes the weakness in the algorithm as, paraphrased, "we're 
not saying that it is a backdoor but we do wonder".

Despite the security community being suspicious of it for nearly EIGHT 
YEARS the algorithm is in everything that complies with FIPS 140-2. 
Including OpenSSL and Mozilla's NSS. That's every major web browser 
other than Internet Explorer. Oh, and Microsoft's cryptographic module 
also has FIPS 140-2 certification, so IE has it, too.

Every major desktop and server OS in operation today has it. Every 
smartphone and tablet other than maybe really old PalmOS stuff has it. 
Sony and Microsoft use FIPS 140-2 certified libraries on their consoles; 
Nintendo uses CyaSSL which is in the process of obtaining that 
certification. I can't think of any widely-used, networked consumer 
devices that aren't "contaminated" with this algorithm and probably 
others that have been surreptitiously weakened by the NSA.

-- 
Rich P.

References:
- [Discuss] Encrypt Everything?
  - From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Encrypt Everything?
  - From: kramerjm at gmail.com (Jay Kramer)
- [Discuss] Encrypt Everything?
  - From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Encrypt Everything?
  - From: gaf at blu.org (Jerry Feldman)
- [Discuss] Encrypt Everything?
  - From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Encrypt Everything?
  - From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] Encrypt Everything?
  - From: blu at nedharvey.com (Edward Ned Harvey (blu))

Prev by Date: [Discuss] Encrypt Everything?
Next by Date: [Discuss] Software tax to be repealed
Previous by thread: [Discuss] Encrypt Everything?
Next by thread: [Discuss] Comcast Encryption
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org