General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsWorried OpenSSL uses NSA-tainted crypto? This BUG has got your back
It has been revealed that the cryptography toolkit used by reams of software from web browsers for HTTPS to SSH for secure terminals is not using the discredited random number generator Dual EC DRBG.
And that's due to a bug that's now firmly a WONTFIX.
A coding flaw uncovered in the library prevents "all use" of the dual elliptic curve (Dual EC) deterministic random bit generator (DRBG) algorithm, a cryptographically weak algorithm championed by none other than the NSA.
No other DRBGs used by OpenSSL are affected, we're told.
"The nature of the bug shows that no one has been using the OpenSSL Dual EC DRBG," Steve Marquess of the OpenSSL Software Foundation wrote yesterday in a mailing list post. He credited the find to Stephen Checkoway and Matt Green of the Johns Hopkins University Information Security Institute.
The bug in fips_drbg_ec.c can be fixed with a one-line change so that the Dual EC DRBG state is updated and its output used. It is a rare example of a software screwup that has beneficial side-effects.
http://www.theregister.co.uk/2013/12/20/openssl_crypto_bug_beneficial_sorta/
cantbeserious
(13,039 posts)eom
FarCenter
(19,429 posts)randome
(34,845 posts)The idea that the NSA has secret 'back doors' into everything is always couched in techno-babble to make it sound more believable for the gullible.
Because technology is so damned complicated! Peons like us can't be bothered to know what's right or wrong!
[hr][font color="blue"][center]Stop looking for heroes. BE one.[/center][/font][hr]
cantbeserious
(13,039 posts)eom
FarCenter
(19,429 posts)He sees you when you're sleeping
He knows when you're awake
He knows if you've been bad or good
So be good for goodness sake
cantbeserious
(13,039 posts)eom
dixiegrrrrl
(60,010 posts)are DRBGs something from Dr. who?
or what?
Man, way behind the learning curve here.
FarCenter
(19,429 posts)If you want to generate a secret to use for communicating with a confidant, you have to generate something that an adversary cannot guess, i.e. something like the heads and tails of a coin flip.
This can be done by taking a source of randomness that is available to the computer, e.g. the interval in microseconds between keystrokes while typing, and then using that data as input to an algorithm that transforms the numbers into a string of bits that are the secret.
NSA caused the particular DRBG to generate bit strings that could be guessed in a number of tries that could be computed with the computers available to NSA. Therefore they would be able to guess the secret and undo the encryption between you and your confidant.
However, their efforts were for naught in this particular widely-used implementation of SSL, since a bug in the code caused the NSA-designed DRBG to never be used. Other, presumably secure, DRBGs would be used by the code instead.
PS - SSL is the Secure Sockets Layer, a communications protocol layer between the Transmission Control Protocol and the Hyper Text Transfer Protocol. Your browser should show a little lock icon or similar signal when SSL is being used. It is the "S" in "HTTPS".
dixiegrrrrl
(60,010 posts)Tis perfectly clear now.
99Forever
(14,524 posts)... techno-babble at it's finest!
gulliver
(13,193 posts)It is the "Anti-Privacy," their greatest fear realized. The signs, portents, and prophecies were all correct just like they knew all along. Snowden is a Messiah.