[tor-talk] NIST approved crypto in Tor?

Eugen Leitl eugen at leitl.org
Sat Sep 7 02:46:09 PDT 2013


----- Forwarded message from "Sebastian G. <bastik.tor>" <bastik.tor at googlemail.com> -----

Date: Sat, 07 Sep 2013 11:25:24 +0200
From: "Sebastian G. <bastik.tor>" <bastik.tor at googlemail.com>
To: tor-talk at lists.torproject.org
Subject: [tor-talk] NIST approved crypto in Tor?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
Reply-To: tor-talk at lists.torproject.org

Hi,

Tor switches over to ECC what's a reasonable step.

I'm unable to find the blog post (or maybe it was an official comment on
the blog) [With DDG and StartPage] where someone said that if the NIST
(I guess) is not lying ECC is safe.

Is the ECC used by Tor in some way certified by NIST?

Are other parts of Tor certified by NIST?

Recent leaks revealed that the NSA spends many resources in influencing
standards to make their lives easier (or not too hard). NIST could be
either participating or tricked into preferring standards that are weak
in some regard. Note that I'm not saying that this is the case, but it
could be.

I was able (it was not a blog post, it was an essay) to find what Bruce
Schneier wrote about the NSA preferring a weak random-number-generator. [1]

Quotes [my comments, notes]:
"The U.S. government released a new official standard for random-number
generators this year [essay from 2007], and it will likely be followed
by software and hardware developers around the world."

"(...) the 130-page document contains four different approved
techniques, called (...) "Deterministic Random Bit Generators." All four
are based on existing cryptographic primitives. One is based on hash
functions, one on HMAC, one on block ciphers and one on elliptic curves."

" (...) one of those generators (...) Dual_EC_DRBG [elliptic], (...)
three orders of magnitude slower than its peers."

" It's in the standard only because it's been championed by the NSA,
which first proposed it years ago in a related standardization project
at the American National Standards Institute."

"The math is complicated, but the general point is that the random
numbers it produces have a small bias. [2006 knowledge]"

"But today [2007] there's an even bigger stink brewing around
Dual_EC_DRBG" (...) Dan Shumow and Niels Ferguson showed that the
algorithm contains a weakness that can only be described as a backdoor."

"There are a bunch of constants -- fixed numbers -- in the standard used
to define the algorithm's elliptic curve. These constants are listed in
Appendix A of the NIST publication, but nowhere is it explained where
they came from."

" (...) these numbers have a relationship with a second, secret set of
numbers (...). If you know the secret numbers, you can predict the
output of the random-number generator after collecting just 32 bytes of
its output. (...) you only need to monitor one TLS internet encryption
connection in order to crack the security of that protocol. If you know
the secret numbers, you can completely break any instantiation of
Dual_EC_DRBG."

"The researchers don't know what the secret numbers are. (...) the way
the algorithm works, the person who produced the constants might know;
he had the mathematical opportunity to produce the constants and the
secret numbers in tandem."

" (...) we have no way of knowing whether the NSA knows the secret
numbers that break Dual_EC-DRBG [or not, we can't know]"

Read the full essay which contains links to papers if you are interested.

And the NSA work on standards repeatedly.
"The NSA has always been intimately involved in U.S. cryptography
standards -- it is, after all, expert in making and breaking secret codes."

That's also what comes out of the Snowden leaks.

I understand that ECC used for Tor is different from what the essay is
about.

However the NSA may found something it can exploit in ECC and made NIST
(maybe unknowingly) standardize the curve (or whatever) that is most
vulnerable or recommends for a weak one, or for too short keys.

Does Tor use stuff certified or recommended by NIST?

If so would it be reasonable to move to international standards
(whatsoever) without the involvement of NIST and NSA 'consultation'?
(Completely unrelated to what might be going on, just as defense-in-depth.)

The NSA likes playing around. [2][3] (found while searching)

Oh and I'm not trying fear-mongering here or try to conspire whenever or
not the NSA has subverted cryptographic functions (in one way or another).

Best,
Sebastian G.

[1] https://www.schneier.com/essay-198.html
[2] https://www.schneier.com/blog/archives/2008/01/nsa_backdoors_i.html
[3] https://www.schneier.com/blog/archives/2013/07/simon_and_speck.html
-- 
tor-talk mailing list - tor-talk at lists.torproject.org
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the cypherpunks mailing list