1. Este site usa cookies. Ao continuar a usar este site está a concordar com o nosso uso de cookies. Saber Mais.
  2. Acompanha o evento 'hello again' da Apple, com novidades Mac e mais, a partir das 18:00 no tópico de discussão!
    Remover anúncio

Possible NSA backdoor in Vista SP1?, maybe so, maybe no

Discussão em 'Dúvidas e Suporte—Internet, Redes, Segurança' iniciada por xupetas, 25 de Fevereiro de 2008. (Respostas: 6; Visualizações: 729)

  1. xupetas

    xupetas Banido

    The U.S. government released a new official standard for random-number generators this year, and it will likely be followed by software and hardware developers around the world. Called NIST Special Publication 800-90 (.pdf), the 130-page document contains four different approved techniques, called DRBGs, or "Deterministic Random Bit Generators." All four are based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. It's smart cryptographic design to use only a few well-trusted cryptographic primitives, so building a random-number generator out of existing parts is a good thing.

    But one of those generators -- the one based on elliptic curves -- is not like the others. Called Dual_EC_DRBG, not only is it a mouthful to say, it's also three orders of magnitude slower than its peers. It's in the standard only because it's been championed by the NSA, which first proposed it years ago in a related standardization project at the American National Standards Institute.

    The NSA has always been intimately involved in U.S. cryptography standards -- it is, after all, expert in making and breaking secret codes. So the agency's participation in the NIST (the U.S. Commerce Department's National Institute of Standards and Technology) standard is not sinister in itself. It's only when you look under the hood at the NSA's contribution that questions arise.

    Problems with Dual_EC_DRBG were first described in early 2006. The math is complicated, but the general point is that the random numbers it produces have a small bias. The problem isn't large enough to make the algorithm unusable -- and Appendix E of the NIST standard describes an optional work-around to avoid the issue -- but it's cause for concern. Cryptographers are a conservative bunch: We don't like to use algorithms that have even a whiff of a problem.

    But today there's an even bigger stink brewing around Dual_EC_DRBG. In an informal presentation (.pdf) at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described a backdoor.

    This is how it works: There are a bunch of constants -- fixed numbers -- in the standard used to define the algorithm's elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.

    What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.

    The researchers don't know what the secret numbers are. But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem.

    Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does.

    We don't know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there's no way for NIST -- or anyone else -- to prove otherwise.



  2. Aparicio

    Aparicio /dev/mod
    Staff Member

    Ao ler isto lembrei-me do livro "Fortaleza Digital" de Dan Brown onde a NSA tenta por um backdoor num algoritmo de encriptação. :P Um bom livro para ler.
  3. Flare

    Flare Power Member

    Ao menos o "suspense" mantem-se uns tempos ao contrario do Carnivore do FBI por exemplo, que passado pouquissimo tempo já tinha o sistema todo exposto lol
  4. xupetas

    xupetas Banido

    francamente acho que muitos poucos se aprecebem do buraco de segurança que isto é... e ainda por cima efectuado por um governo com uma agenda muito propria
  5. timber

    timber Zwame Advisor

    Existem 3 outros geradores de números aleatórios não?

    Só o elíptico é que pode estar comprometido, não?
  6. SoundSurfer

    SoundSurfer Power Member

    Gostei do título a referir "Vista SP1" quando na realidade não só não é referido no texto, como ainda por cima o assunto recai sobre um standard do NIST... :rolleyes:
  7. xupetas

    xupetas Banido


Partilhar esta Página