back to article Extended Random: The PHANTOM NSA-RSA backdoor that never was

Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSA's encryption software BSafe. But it appears to be more sound and fury than substance. The brouhaha was kicked off by a Reuters report into an as-yet-unpublished academic study examining the cryptographically crap Dual …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

NSA and extended Randomness.

The salient point is that the NSA acted to dilute security on an encryption standard and that's just the one we know about ..

2
3

This post has been deleted by its author

Anonymous Coward

Reuters eh?

They used to be a respected source of news but these days they scrabble to print any old unsubstantiated biased crap to try and justify their existence. The general news is bad enough but anything even slightly technical seems to be churned out by Stephen Fry.

4
1
Silver badge

Moving On ...... and Sharing the Spoils

The paper referenced in the El Reg article is available for reading here ..... http://cryptome.org/2014/03/DualECTLS.pdf ..... and it has generated this response, which has been sent in an email to its generous host. Its subsequent publication, or not as they case may be, provides additional sensitive information in the fields being explored and quite quietly cleared of wanton imperfections/exclusive perversions which be rendering designedly inequitable personalised advantage to failed organs and organ grinder monkeys.

Our analysis strongly suggests that, from an attacker’s perspective, backdooring a PRNG should be combined not merely with influencing implementations to use the PRNG but also with influencing other details that secretly improve the exploitability of the PRNG. This paper does not attempt to determine whether this is what happened with Dual EC, and does not explore the difficult topic of defending against such attacks, beyond the obvious advice of not using Dual EC. …….. http://cryptome.org/2014/03/DualECTLS.pdf

Hi, John,

You may like to share and advise all with either a need or a wish to know, that there is no defence against such an attack improving upon the exploitability of a discovered systemic vulnerability. And one is therefore at the mercy of, ideally, the good graces of the smart attacker/crack hacker/cryptographic code breaker and/or maker.

And on the reverse side of that COIN coin, the damage that can be done whenever one encounters an agent with malicious intent is catastrophic beyond compare and simple remedy ….. thus the wisdom in ensuring that effective security systems admin in this particular and peculiar field is afforded every luxury desired/all credit facilities required, lest the human temptation to maximise capital gain entertains the dark web side to ……. well, we are talking carefully around Great Game lead, are we not ….. and Virtually Remote Mankind Management? And one imagines, that be an extremely attractive capability and readily available utility to intelligence agencies and server providers anywhere.

2
3
Silver badge

Re: Moving On ...... and Sharing the Spoils

And a leading question here now being asked of austere Blighty’s perceived to be intelligent security service providers, whether spooky public MI5/MI6/CESG/GCHQ troughers or stealthy shadowy unknowns from the private supply sector, is whether they have such a leading universal ability, for there be no credible evidence anyway worldwide, and most certainly not even at home whenever one consider the politically bankrupt state of the nation, of them using it at all effectively to create a Greater IntelAIgent Games Play and better, mutually advantageous beta realities via these strengthening sterling virtual means and cyber memes, which are now to be found everywhere in SMARTR IntelAIgent Systems with Global Operating Devices …… Seriously Clever NEUKlearer HyperRadioProActive Media Machinery?

And who would be being handsomely paid to provide that, and/or commission that from others? What be their name and email address, or is it a vital critical and strategic post which be criminally vacant?

Has it been outsourced to across the pond where Wall Street is destroying everything? Would that be akin to treason?

0
2

Re: Moving On ...... and Sharing the Spoils

What have both of you been drinking or do you revel in wanton syntax errors as some kind of badge?

Both of you don't make sense but at least the OP was mostly quoting.

1
0
Silver badge

Don't attack AIMessengers, Run with ITs Flows

do you revel in wanton syntax errors as some kind of badge? .... Metrognome

No. That would be misleading and subversive and perverse, Metrognome, and counter-productive.

Did you read and understand the paper and recognise the exploitable vulnerabilities cited and in need of secure protection, or did you find it, like I suppose many would, just presently too difficult a struggle too far ahead of the mainstream and abandon it for the false hope and cold comfort that a slaves' ignorance provides and sustains?

0
1

Re: Don't attack AIMessengers, Run with ITs Flows

No mate.

Just your insistence of stringing together unnecessarily long sentences that render them an unreadable nonsense. One way to demonstrate a deep understanding of any topic is the ability to explain it succinctly and in layman's terms.

However, your tirade had nothing to do with topics or issues that are difficult to grasp, just sentences that are badly put together and strewn with faux-smart leet-speak.

1
0
Silver badge

Agreeing to disagree and moving on to an alternate position allows progress to flourish

I agree, Metrognome. Keeping it stupendously simple [KISS] is the way to go, both practically and virtually almost every time so that all can comprehend if they have good brains that work at all well what is being said/shared. [Some folk, as we surely know, have severe learning difficulties and some are brain damaged, and thus are expectations of their understanding of things considerably curtailed]

However, whenever there are sensitive and better kept most secretive issues to be explored and/or discussed, is it, IMHO, always wiser to ensure that not all, nor even many, understand what is uncovered. To target a very particular and/or peculiar audience/mindset, is it necessary to only rattle a few choice doors and not bother all of the rest with something which it may be much safer to exclude them for the present from knowing. Done for all the right reasons, would that be a gracious kindness selflessly afforded, methinks.

0
3
Silver badge

@Metrognome

I have a sneaking suspicion that aMfM1 employs such language to distance his prose from their usual day-day syntax in order to avoid recognition.

Feel free to correct me on this amfm1

edit: ok you beat me to it :)

0
0
Anonymous Coward

I think you missed the Point.

ER only made it easier to crack. Okay, by 16 bits, but Dual Elliptic Curve Deterministic Random Bit Generator is still crackable with relative ease. Unlike the other 3 algorithms in the standard, which are still "computationally unfeasible".

1
0
Anonymous Coward

Exploding The Myth

I keep finding myself repeating this same old adage over and again when it comes to this whole area:

"Never ascribe to malice that which can adequately be explained by incompetence."

The intelligence services' "pivot" away from defense and to offense could easily be explained as a result of their recognition that they just weren't competent enough (or possibly too lazy) to provide a credible defense.

Reports like this only confirm that these people never really were "the smartest guys in the room", and more than their political patrons.

Ask yourself this, what could a seriously competent, non-governmental, university based, "cyber defense" cooperative do with a quarter-trillion dollars a year in funding? If the answer is, "better than the existing intelligence services", then I think someone needs to reconsider their budget priorities for the next decade.

3
3
Silver badge

When a thread in a string is a rope, only a hope peddling dope realises it not as a lifeline.

Ask yourself this, what could a seriously competent, non-governmental, university based, "cyber defense" cooperative do with a quarter-trillion dollars a year in funding? If the answer is, "better than the existing intelligence services", then I think someone needs to reconsider their budget priorities for the next decade. …. Anonymous Coward, Exploding the Myth

Such a cooperative base with grand university of life masters piloting and targeting programs and/or pogroms would easily be funded with a quarter-trillion dollars a year and if serially seriously competent in base cyber defense protocols, very likely to be able to arrange all funding for IT and themselves from vulnerable markets.

And if they want to be smarter in the future, and not want to be found lacking in all vital virtual fields of security and protection, would existing intelligence services be first to engage and offer whatever be needed to be seeded. Such a quantum leap though may be an available bridge too far for all too many of them with their current skewed priorities in maintaining the present to support the past and the status quo arrangements …. with old former and failing establishment command controllers/command and control orders/secret clubs/shadowy organs.

0
3
This topic is closed for new posts.

Forums