This is an article about Dual_EC_DRBG.. [edit: the final algo was] published in June 2006, and criticized as insecure by the end of June 2006. Here's Schneier summary:
https://www.schneier.com/essay-198.html
Not only was it immediately criticized as being insecure, it's also slow.. I doubt anyone used this algo.. certainly, after 7 years of public criticism, anyone who used it would have replaced it by now.
So, when are we going to start seeing CVEs from these vendors, and updates to their software that disable this "feature"?
Cisco, Certicom, RSA, McAffee (via RSA), Juniper, Blackberry/RIM, OpenPeak, OpenSSL, Samsung, Symantec, Riverbed, Cummings Engineering, CoCo Communications, Kony, Lancope (via RSA), Mocana, Safenet, SafeLogic, Panzura, Microsoft, Thales e-Security, Catbird, ARX all list Dual_EC_DRBG as at least supported.
Of these, RSA (and presumably the others based on their, like McAffee and Lancope), Thales e-Security, and possibly Microsoft (Windows Server 2008 R2 lists only Dual_EC_DRBG, though its possible that that's just their only FIPS compliant one and they use some non-standard algorithm by default) seem to use Dual_EC_DRBG by default or as the only option. I haven't tried finding documentation on all of these to see if they say what their default algorithm is, so it may be more.
edit to add: Found this discussion on the OpenSSL users list, about why they added it. Apparently it was because a paying customer requested it, thought the customer is not named for confidentiality reasons. OpenSSL doesn't appear to enable the NIST/FIPS random number generators unless you compile it in FIPS mode (at least, as far as I can tell from a quick, their build system is a bit weird, and FIPS mode is even stranger):
That tells you who has a certification for it. Note must people have certifications for multiple RNGs, including openssl (indeed a few of those modules are wrappers around openssl)
There is one company that only has a cert for EC_DRBG and thus can reasonably be inferred to be using it is Lancope, a network security/firewall company. For the rest of them, we don't know.
McAfee Firewall Enterprise Control Center only has dual EC_DRBG certified (despite the fact the RSA library they use supports others; strongly suggesting its what they actually use).
A few days ago, there was a lot of talk about how Tor has backdoors, because it is funded by the US Government.
The answer to that question is also here. You have the NIST, a government entity that is opposing another government entity, the NSA, because the former does not agree with the latter's practices. We should not forget that the government is not one cohesive entity and this is an example of that.
Likewise, one should also remember, that no single entity is singular cohesive; that there are people working from within, even from within the "controversial" agencies, trying to make the places they work better for the country.
There is certainly much good intention, more than is given credit for, in most government agencies. The reason I don't want to fund them to a great extent is that the bureaucracy of almost any large entity causes serious problems in inefficiency. I'd not want IBM running our government, and I don't want our federal government running our government.
People might be surprised at how much public-private cooperation goes on between businesses and government research entities like NIST.
In fact, an explicit part of NIST's role is filling in science that businesses need but can't do themselves.
NIST started out as the National Bureau of Standards. It sits in the Department of Commerce. Most of its activities are directed at tasks-- like standardizing measurements-- that businesses depend on, but are too small, or too balkanized, to do effectively on their own.
Unless, you know, you like every corner gas station having its own definition of "gallon", and every appliance manufacturer rating its offerings using different definitions of energy, and every steel producer specifying tensile strength according to its own test procedure.
Disclosure-- I had a post-doc at NIST in the late 1990s.
Is the DEC PRG not the same as the Dual EC DRBG (also by Kelsey), or is the 2006 paper wrong about Dual EC being breakable on a desktop computer, or is there some other subtlety I'm missing? Because the conclusion Ferguson came to in '07 wasn't that Dual EC was bad because it was trivially breakable.
(Nobody I know of uses Dual-EC, and you shouldn't either).
The 2006 paper calls the Dual EC DRBG as DEC PRG. They're the same thing.
Their attack does work in the advertised time, but it a purely distinguishing attack, i.e., it tells you "this stream of random bits was generated by the DEC PRG". It does this by verifying that the number of 256-bit integers constructed using the 240 bits of the generator as least-significant bits are more often valid points on the P-256 curve than truly random 240-bit strings would. A 2007 paper extended this to predict bits.
EDIT: Actually, for the record, the first public attack on the generator was a predictor, in March 2006 [1]. Citing its conclusion:
"While the practical impact of these results are modest, it is hard to see how these flaws would be acceptable in a pseudo-random bit generator based on symmetric cryptographic primitives. They should not be accepted in a generator based on number-theoretic assumptions."
> Asked whether Microsoft would continue to use the encryption standard in some of its software, a spokesperson said the company "is evaluating NIST's recent recommendations and as always, will take the appropriate action to protect our customers."
We know today that MS hands exploits over to the NSA.
Also, the likelihood that the NSA was allowed to integrate backdoors in MS Windows is extremely high.
How do you square that with "take the appropriate action to protect our customers"?
Additionally, backdoors/exploits can be used not only by their creators but also by others who find them, making MS's "protect the customers" claim even more ridiculous.
1. FBI Admits It Controlled Tor Servers Behind Mass Malware Attack (wired.com)
2. NIST "strongly" suggests dropping its own encryption standard (arstechnica.com)
3. No more CSS and HTML, just JS (ojjs.org)
I don't understand the rationale to introduce such weakness. The NSA doesn't have the monopole of spying and cracking code. This weakens defense of USA's interest as well. This raises again the question if we can trust the people holding such power in their had.
People referred to them as "No Such Agency" for a long time. It's kind of nice to see how they went from extreme public obscurity to a household name; it's hard to stay clandestine when even Joe Nobody knows who you are and exactly what you do.
Laws surrounding murder by and large aren't all that important. If it wasn't illegal you'd just have mob justice filling the gap, as murder is generally frowned upon quite severely by society.
Ideas surrounding freedom, liberty, and privacy are very complex, easily confused, and often forgotten until its too late. The laws around these things are mechanisms which help protect what you're country supposedly holds dare.
But in answer to your actual question, would you believe them if they said they hadn't?
It's unlikely that that would happen, unless we suddenly get a new president in the coming years who is unlike the rest and vehemently anti-domestic surveillance.
They might undergo some reform, but the government apparatus has been far too reliant on many aspects of their work to actually shut them down.
I "strongly suggest" everyone drops NIST's encryption standards as soon as there are viable alternatives to them. They can't be trusted ever again, and it's best to form another truly international security standards body, anyway, with ties to no government.
And how do you know the "independent" organization that comes up with the next encryption standard wasn't covertly influenced or controlled by a hostile entity[1]?
Public scrutiny and peer review are the best defenses, and the NIST did as much.
[1] IMHO, I'm far more concerned about China and Russia then the US.
This. Seriously, their algorithms and mathematics are public and under constant scrutiny from the entire crytographic community. The vulnerabilities in RSA are known, sha already has a third version ready if a systemic weakness in 128->512 bit sha1/2 is revealed, and AES may require 512 bit keys for guaranteed security in the future, but seems solid.
They can't backdoor a math function because all 3 have been implemented by dozens of libraries and programs independently.
AES is only defined for 128, 192, or 256 bit keys. You'd need to switch to a different block cipher like Blowfish (up to 448 bit keys), RC2 (up to 1024 bit keys), or RC5 (up to 2048 bit keys) to have a larger keyspace.
If Bruce Schneier thinks that strong symmetric crypto works (the math behind it is sound) I think I will also trust it.
The attacks are usually on the implementations or subverting the rng. Or plain old thermorectal cryptoanalysis - it obtains both symmetrical and asymmetrical keys in fixed time.
If Microsoft was seriously pissed and not fearful, they'd sic Microsoft Research on them.
Also Google, FB, Yahoo etc should provide grants so independent cryptologists can spend time to review and test encryption standards. They don't have to match NSA's budget...
> independent cryptologists can spend time to review and test encryption standards.
It's a small world. They need money to do their work. MS, Google, FB, Yahoo!, etc haven't been providing the funding or the jobs. GCHQ, NSA, etc have been providing money and jobs. It's too late - there are no independent cryptologists.
Maybe, but Google, Microsoft, FB and other top tech companies are even more connected to colleges than NSA. They know their top students and can easily lure them with grants and even prizes. I remember talking to PHD students having to live on $20K a year, imagine how a $50K grant and a possible $1 Million prize feels to him /her. If needed, tech companies as a whole can very easily outspend NSA, if they want to. Unless they do something, other than filing PR lawsuits, they have only themselves to blame.
(Of course the brightest mathematicians are used to fool people into clicking on ads. But that's another story.)
First critic from June 2006: http://eprint.iacr.org/2006/190
Not only was it immediately criticized as being insecure, it's also slow.. I doubt anyone used this algo.. certainly, after 7 years of public criticism, anyone who used it would have replaced it by now.