|
|
|
|
|
|
by periodontal
3909 days ago
|
|
|
One point this doesn't (appear to) consider is the type of vulnerability which is possible to embed. Forcing a curve parameter with the prefix 0xBADA55 is eminently feasible given the many available design choices (as this shows, though I'm not sure this was in dispute), but there's a long way between this and the type of vulnerability that the NSA would be most comfortable with. Consider Dual_EC_DRBG: by all indications this was a "NOBUS" vulnerability (exploitable by "nobody but us") since the private key to unlock the backdoor had to be created at design time and wouldn't be recoverable by any other user of the system. With the NIST seed-hashing technique used to generate these curves, however, only a relatively small number of bits of structure can be forced in the result (assuming no preimage attack on SHA-1, which is still presumed difficult even now, let alone in 1999 when the curves were specified). This more or less makes Jerry Solinas in the thought experiment resort to weakening the curve by forcing the choice into suitably large set of privately-known weak curves (which might only constitute 1 in a billion of the publicly acceptable curves). However, it's not possible for these attacks to insert enough structure for a Dual_EC style private key so they end up weak against all attackers (including other nation states) in theory if they can perform the same analysis. This (assuming that no one else has discovered the weak class of curves) is a very risky needle to thread when you are still recommending NIST-384 for use in protecting top secret information even now over 15 years later. |
|
|
One way to get a NOBUS vulnerability that allows GCHQ to recommend a curve (and thus see it deployed on systems they care about) and break that same curve is for the vulnerability to be mitigated with an additional parameter check. For instance, maybe a particular weak curve is safe to use if you exclude a small subset of points. GCHQ's implementations do the additional check, but nobody else does that (why would it ever occur to them to check? would they even know what to check for?).
Dual_EC is, of course, the gold standard of NOBUS backdoors: it's literally a strongly-encrypted backdoor!