Experts report potential software "back doors" in U.S. standards

[Uwe Cerron]

Hello,

I was wondering what are your opinions on an open source project i am
developing decentralbank.com, i began building it as a colored coins
bitcoin wallet complementary to open transactions audit servers,which act
as multisignature wallets among other things,if colored coins were used
people would exchange the rights to the bitcoin stored in the audit server
and skip transaction fees, i thought this would be very useful for low
income countries where the transaction fee may seem exorbitant.

I will be using open transactions technology and will be expanding audit
servers which allow multi signature deposits to support colored coin
definitions as a way to create a decentralized asset definition storage for
colored coins. I was wondering if you guys think there is demand for this
or am i just wasting my efforts?

The repo is open source and located here https://github.com/DecentralBank
Open transactions audit servers are part of the voting pools scheme for
those of you who don't know here is the link
http://opentransactions.org/wiki/index.php?title=Category:Voting_Pools

Thanks,
Uwe Cerron


On Tue, Jul 15, 2014 at 9:38 AM, Eugen Leitl <eugen at leitl.org> wrote:

>
>
> http://www.reuters.com/article/2014/07/15/usa-nsa-software-idUSL2N0PP2BM20140715
>
> Experts report potential software "back doors" in U.S. standards
>
> BY JOSEPH MENN
>
> SAN FRANCISCO, July 14 Mon Jul 14, 2014 8:58pm EDT
>
> (Reuters) - U.S. government standards for software may enable spying by the
> National Security Agency through widely used coding formulas that should be
> jettisoned, some of the country's top independent experts concluded in
> papers
> released on Monday.
>
> Such mathematical formulas, or curves, are an arcane but essential part of
> most technology that prevents interception and hacking, and the National
> Institute of Standards and Technology (NIST) has been legally required to
> consult with the NSA's defensive experts in approving them and other
> cryptography standards.
>
> But NIST's relationship with the spy agency came under fire in September
> after reports based on documents from former NSA contractor Edward Snowden
> pointed to one formula in particular as a Trojan horse for the NSA.
>
> NIST discontinued that formula, called Dual Elliptic Curve, and asked its
> external advisory board and a special panel of experts to make
> recommendations that were published on Monday alongside more stinging
> conclusions by the individual experts.
>
> Noting the partially obscured hand of the NSA in creating Dual Elliptic
> Curve
> - which Reuters reported was most broadly distributed by security firm RSA
> [USN:nL2N0JZ1B6] - the group delved into the details of how it and other
> NIST
> standards emerged. It found incomplete documentation and poor explanations
> in
> some cases; in others material was withheld pending legal review.
>
> As a whole, the panels recommended that NIST review its obligation to
> confer
> with the NSA and seek legal changes "where it hinders its ability to
> independently develop the best cryptographic standards to serve not only
> the
> United States government but the broader community."
>
> They also urged NIST to weigh the advice of individual task force members
> who
> made more dramatic suggestions, such as calling for the replacement of a
> larger set of curves approved for authenticating users, in part because
> they
> were selected through unclear means by the NSA.
>
> "It is possible that the specified curves contain a back door somehow,"
> said
> Massachusetts Institute of Technology professor Ron Rivest, a co-founder of
> RSA and the source of the letter R in its name. Though the curves could be
> fine, he wrote, "it seems prudent to assume the worst and transition away."
>
> More broadly, Rivest wrote, "NIST should ask the NSA for full disclosure
> regarding all existing standards... If NSA refuses to answer such an
> inquiry,
> then any standard developed with significant NSA input should be assumed to
> be `tainted,'" absent proof of security acceptable to outsiders.
>
> In an email exchange, Rivest told Reuters that "NIST needs to have a
> process
> whereby evidence is publicly presented" about how the curves were chosen.
>
> The curves faulted on Monday had been questioned by outsiders after media
> reports in September said the NSA could break much widely used security
> software, without detailing which ones or how. "These curves are ubiquitous
> in commercial cryptography," Johns Hopkins University professor Matthew
> Green
> said in an interview. "If you connected to Google or Facebook today, you
> probably used one."
>
> Rivest's long association with RSA, now part of electronic storage maker
> EMC
> Corp, made his remarks more poignant. But prominent task force colleagues
> including Internet co-creator Vint Cerf and Ed Felten, former chief
> technologist at Federal Trade Commission, also gave strongly worded
> verdicts
> on the Department of Commerce unit.
>
> "It cannot be accepted that NIST's responsibilities should be co-opted by
> the
> NSA's intelligence mission," wrote Cerf, who now works at Google Inc.
>
> While Rivest called the internal history of Dual Elliptic Curve a "smoking
> gun" with an "almost certain" NSA back door, Felten wrote that NSA might
> not
> remain alone in its ability to use it and other possible NIST-approved
> holes
> for spying.
>
> In each of three cases, including Dual Elliptic Curve and the more common
> curves faulted by Rivest, Felten said the suspected back door access
> "reduces
> the security of users against attack by other adversaries, including
> organized crime groups or foreign intelligence services."
>
> The NSA might have been able to generate curves that pass cursory security
> tests but are still breakable through the aid of sheer computing power,
> because it can try millions of curves and get a few that fit its goals.
> But a
> researcher working for another country could discover the flaw, Felten
> said.
>
> In the case of the curves approved under the FIPS 186 standard for
> authenticating digital signatures, NIST should start over and pick its own
> curves publicly rather than relying on the NSA, Felten and others said.
>
> Several experts said NIST had to hire more cryptographers and strengthen
> its
> internal processes to avoid relying on NSA.
>
> NIST acting Director Willie May agreed in a statement, saying his agency
> "must strengthen its in-house cryptography capabilities to ensure we can
> reach independent conclusions about the merits of specific algorithms or
> standards."
>
> NIST did not respond to a Reuters email asking about the fate of the
> suspect
> curves. (Reporting by Joseph Menn; Editing by Ken Wills)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 8426 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20140715/01f9858a/attachment-0001.txt>