1. 16

  2. 3

    A discussion of this is starting on the cryptography@metzdowd.com mailing list: http://www.metzdowd.com/pipermail/cryptography/2013-September/017099.html

    There has been a lot of good discussion on that list lately. The people who post to it seem to be well-informed.

    1. 2

      There’s been some interesting discussion lately on the randombit cryptography mailing list too:


      Definitely have to check the metzdowd list.

    2. 1

      The reporting on this is frustratingly vague about the NIST standard changes made by the NSA. Are we talking about the ecc random number generator which nobody uses? Or something else that people do use?

      1. 1

        I believe it is Dual_EC_DRBG. The ProPublica story http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption says:

        Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

        This appears to describe the NIST SP 800-90 situation pretty precisely. I found Schneier’s contemporaneous article to be good at refreshing my memory: http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115

        (quoted from the mailing list thread I linked)