Ethics (or unethicality) of massive government observation

Original author: Eric Roberts
  • Transfer
Translator's note: lately, cryptographic algorithms based on elliptic curves have become increasingly popular. In the world of cryptography, it’s not worth inventing bicycles (which we have written about more than once on our favorite hub), but it is best to follow the standards. However, not all standards are equally useful.
PS: the translation does not sparkle with novelty, but it may help to learn something new from parts of the audience.


The NSA is often suspected of developing backdoors for algorithms and encryption systems. The most serious claims were presented by the NSA in November 2007, after the release of the official NIST standard for random sequence generators.

Almost all encryption algorithms are based on the use of random numbers to generate encrypted messages. Modern cryptography uses random numbers for many purposes, starting with initializing encryption keys. Therefore, the quality of the generated random sequences is very important. If an attacker can compromise the random number generator used to encode the message (predict a random sequence), then he will be able to decode the encrypted message.

The development of random sequence generators is a very difficult task. Many attacks on ciphers are inherently attacks on these very generators. NIST has developed the NIST Special Publication 800-90 standard, which describes various techniques for obtaining crypto-resistant random sequences recommended for use in various fields of activity. Many developers of software and hardware take this standard as the basis for the implementation of cryptographic algorithms ( translator's note: this standard was also covered on the Habré ).

The standard provides four different techniques for “truly random bit generators” (Deterministic Random Bit Generators - DRBG), based on various cryptographic primitives:
  • based on hash functions;
  • Based on the Hash Message Authentication Code (HMAC);
  • based on block ciphers;
  • based on elliptic curves.

Doubts in this standard were caused by the random number generator based on elliptic curves - DUAL_EC_DRBG. The first problems in it were found in 2006, when Daniel Brown and Kristian Gjosteen indicated that DUAL_EC_DRBG generates random numbers with a small bias. In 2007, at a CRYPTO conference, Dan Shumow and Niels Ferguson showed the vulnerability of this generator, which they regarded as a deliberately abandoned backdoor. They demonstrated that the constants used by this generator are interconnected with some secret set of numbers, as a result of which the owner of this set can predict the issuance of the generator and gain access to the contents of messages encrypted using it.

And what about the NSA? The NSA collaborates with NIST as a national expert in the field of cryptography. DUAL_EC_DRBG is the slowest of the proposed methods for obtaining random sequences. Many were interested in the question of why this generator is generally included in the standard. Bruce Schneier explained that the NSA was the initiator and main lobbyist for the inclusion of this generator in the standard. Schneier did not make any conclusions, but suggested that the NSA thus wanted to be able to receive the contents of encrypted messages: “I don’t understand why the NSA so persistently suggested including DUAL_EC_DRBG in the standard ... If you need a random sequence generator, I do not recommend using Dual_EC_DRBG under no pretext. If you want to follow NIST SP 800-90, use CTR_DRBG or Hash_DRBG. ”

Also popular now: