From eugen@leitl.org Sun Sep 22 12:09:50 2013 From: Eugen Leitl To: cypherpunks@lists.cpunks.org Subject: Re: [cryptography] [Cryptography] RSA equivalent key length/strength Date: Sun, 22 Sep 2013 18:09:44 +0200 Message-ID: <20130922160943.GL10405@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2619346855659383653==" --===============2619346855659383653== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable ----- Forwarded message from ianG ----- Date: Sun, 22 Sep 2013 15:32:42 +0300 From: ianG To: cryptography(a)randombit.net Subject: Re: [cryptography] [Cryptography] RSA equivalent key length/strength User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130= 801 Thunderbird/17.0.8 On 19/09/13 00:23 AM, Lucky Green wrote: > According to published reports that I saw, NSA/DoD pays $250M (per > year?) to backdoor cryptographic implementations. I have knowledge of > only one such effort. That effort involved DoD/NSA paying $10M to a > leading cryptographic library provider to both implement and set as > the default the obviously backdoored Dual_EC_DRBG as the default RNG. So, boom. Once the finger is pointed so directly, this came tumbling down within a day or two. http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-= product-rsa-tells-customers/ http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.= html? One mystery is left for me. Why so much? It clearly doesn't cost that much money to implement the DRBG, or if it did, I would have done it for $5m, honest injun! Nor would it cost that to test it nor to deploy it on mass. Documentation, etc. What are we to conclude was the reason for such a high cost? Conscience sedative? Internal payoffs? > This was $10M wasted. While this vendor may have had a dominating > position in the market place before certain patents expired, by the > time DoD/NSA paid the $10M, few customers used that vendor's > cryptographic libraries. Another theory - take a fool's money? And, what happens to RSA now? If this is business-as-usual, does this mean that when the Feds show up to my door with 'a proposal' that I should see the mutual interest in sharing my customer's data with them by means ecliptic & exotic? Take the 30 pieces of silver (adj. for 2000 years of inflation), and be happy they're also keeping my struggling business in the black? Or grey? Or, is it the new Crypto AG? Is RSA the new byword for sellout? Does RSA go out of business? An Arthur Anderson event? In which case I have no choice. I have a reason to preserve the privacy of my customers, and tell the NSA I'm not interested in their cyanide pill patriotism. iang _______________________________________________ cryptography mailing list cryptography(a)randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- --=20 Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 --===============2619346855659383653== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC4xMiAoR05V L0xpbnV4KQoKaVFJY0JBRUJBZ0FHQlFKU1B4WkhBQW9KRVBSdU5JbXNpVTdGOEtFUC9SeHFuWXRP WGs2WG0yWW1JVWtPOUR4YwppclNhQ0R5Um9QbUVNVmZFekc5UXNjM3cvSXFpS0pUeTNBZjdrQk9J S0JseVJYZmVxdExwbE1uRHdIbGFVcm5kCmdMdE1vY2xMOWdGRWNhYjUzcGo3b1o1MXUzTjFKeEZX c2lsd0dhckdtSVNheXZSN2NjeXpvY1VPeHlTcXFNMWgKRGFBejFhaWxhMVBIdWZDdVdnWHNVVVJm eUE2QnVGSG1WVnJjN2tPRUVwbE8yTE5TV1UvSDhEVHFPZSsxSmRRUgpGVHJSbUpINm5zVS96RVBo bXlzWnFGbVFuTWdOc2MwRVZvT2RLbloxWEhxdGc2bC9ySFp6dDlYSUFjcndPNmhUCjVhTndmMTV1 ZkZCeG51bGRZUXhXdVBoU2FiSHhwMkNMUWZORm0waDNoTFhBL3FFOU5wbkRjNEptMDVGLzBVblYK b2lWRmVPbytXMjlSRnhDODBmUEdUZUU0RW1kWVhJK2VtTkgwVmFCejhUTVN1UmVCMnREM0tZV0xz TWxjakZYMApyY1M2RjJBcEpIQzRVbXJ6WWUyM2tRSUxsR29jYlVWdDZ3ZzBSZWYrMXl3bUhma1d3 U2U3RGVXcExOaE94TFJVCllrV005b3NHdUx0VWZFbVFDazIvMGZaNElWMlJ4R2RFK3pXaTliT1Rk RnZISmNoTmU4bWd6WTFXSmd3a2k0S3IKUGZOcTJwQmYrM1VjdlZKbTF0amhFeE9ibzAyUzFWOXdK QWhhOGtXbGxWNGNiWThQQmd4SUMrQTZ0VU1PTjhlOApzN04vbnR3ZzhDVEdCRDUzQldPbDRuZzZ1 VTdRZ2J4N3dlaHA2alBLcUFIeHpUdi9aZ0IwbWJFY2owd0FQU21ZCllpWUZ3TVcxZWNpcCtkSGo5 QVN5Cj10OHlICi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============2619346855659383653==--