That's not perfectly accurate; the reason I think an abstract name is helpful is that GCHQ is just as bad, if not worse: it's handy to have a name that captures all of them.
In my defense, when I first skimmed the article I missed the note about the secondary meaning and was quite confused. "New hacker group? Old hacker group I don't know about? Kids these days..."
I've got to wonder if the DUAL_EC debacle only appears so ham-fisted because the public understanding of public key crypto is much further ahead than our understanding of symmetric ciphers. Universities employ armies of mathematicians studying mathematical structures for their own right, whereas shuffling bits isn't sexy.
Conversely, "Clyde Frog" has been studying symmetric ciphers much longer and harder (symmetric is sufficient for nation-state security) and could have a deep symbolic understanding of common symmetric constructions akin to how we see the public-key math. They would then know how to choose constants that admit similar backdoors, and the entropy of "nothing up my sleeve numbers" isn't exactly well quantified.
Rather than a proactive attempt, DUAL_EC could have been a reaction to worries about movement to RNGs based on asymmetric math.
Governments can afford to employ people to transport N^2 keying material. Additionally, they have predefined communications patterns.
Even if part of the government moves to asymmetric algorithms for key distribution (only possible after the discovery of Diffie-Hellman), the top secret portions can continue using couriers to avoid relying on an additional algorithm.
Combined with its standard use for bulk ciphering, symmetric is obviously the more valuable target to secure/break.
Public Key crypto was discovered by GCHQ (and then given to the NSA) several years before it was publicly discovered by Diffie-Hellman and RSA. I think this was to avoid having to have the symmetric keys under armed guard. The public discovery is also what kicked off the 'crypto wars'. I'd be surprised if modern nation state intelligence communities found symmetric encryption sufficient.
Oh yeah, I'd forgotten about Cocks. Blame my selective memory for withholding credit from people who don't share.
Spooks would of course welcome any discovery, and asymmetric crypto does solve problems for them (getting government crypto distributed as wide as possible). I am saying purely symmetric is "sufficient" for their core functionality - the communications that really need to be secret. Coupled with the head start before asymmetric was even discovered, that is where their focus is going to be.
Put another way: if you were in charge of securing communications and had to prioritize resources, would you rather research a trustworthy asymmetric algorithm or a trusty symmetric algorithm? Likewise if you wanted to snoop on others' communications, would you prioritize breaking symmetric or asymmetric techniques?
May I just say, I am extremely happy that the NSA has to jump through such incredibly laborious hoops to gain a glimpse into anything, a capability which they would then fail to acknowledge at any price.
This is the OPPOSITE of a dictatorship, where there would simply be a heavy-handed order to put in an explicit, acknowledged back door or be jailed without trial, or executed.
This is what freedom looks like. Enjoy it!
I personally also enjoy the fact that nobody with a few million dollars in spare change can surf the dark web as Dr. evil. But that's just me.
EDIT: this comment is at -1, perhaps people thought I was making a ham-fisted sarcastic statement. I'm speaking literally. You all can keep either your dictatorship, or the society in which someone can commit an act of terrorism for the going black market rate without any repercussions; if it's a false dichotomy, you'll have to explain why.
EDIT 2: this comment is fluctuating wildly (-2, +2, 0, etc) especially since my edit. Thoughtful replies would probably be more helpful than voting here.
Except for Hoffman’s last proposal, the extensions are cordoned off to the US Government. The sponsors of the standards and their authors make very little effort to provide a use case for normal Internet users.
If this were an X-Files episode, then the group who really runs the world would be forcing the USG to subvert it's own crypto.
Why would Certicom bother filing a patent(s) on this. The only likely buyer/licensee would be a nation state - which can easily appropriate whatever IP it desires. Further, NSA paying/licensing with a foreign company (Canadian Certicom) only adds to the number of people in the know. Likely Certicom realized this and contributes to the reason why some of the patent applications were never pursued beyond provisional patent applications.
Certainly seems like a very well crafted but poorly executed plot to me. The tricky thing is how the hell do you really expose it? There are so many levels of obfuscation both by the people who are putting forth the proposal and the technical details as well.
Can anyone figure out whether USG is Unix Systems Group or United States Government. (I think we're safe in assuming they aren't United States Gypsum (though, from my trips through Empire to Gerlach, that was the first thing that came to mind)).
[Edit - if you read through the entire (epic and wonderful resource) article, United States Government is used where USG might be - so I think we are safe in assuming it is United States Government. tptacek, might be worth introducing the acronym at the beginning.]
The attacker doesn't have the TLS private key, they have the RNG key. But they don't have the RNG seed. Recovering the seed is necessary to predict other RNG outputs and break TLS, but requires observing more RNG output than one typically sees.
FWIW, the operative theory here is that "Extended Random" was designed to work in concert with the DUAL_EC DBRG/RNG, which almost certainly allows "Clyde Frog" to predict all future output on the basis of very few samples.
"Using that private key, they can observe CSPRNG output on the wire, “decrypt it”, and use that to rewind and fast-forward other people’s CSPRNGs, discovering their keys."
If the victim is using Dual_EC_DRBG and Clyde Frog can obtain ~32 bytes of RNG output, they can figure out in reasonable time what the seed to the RNG was (assuming they know how the curve parameters were generated).
"This is a huge deal in the case of SSL/TLS, for example. If I use the Dual-EC PRG to generate the "Client Random" nonce transmitted in the beginning of an SSL connection, then the NSA (sic) will be able to predict the "Pre-Master" secret that I'm going to generate during the RSA handshake. Given this information the connection is now a cleartext read. "[1]
So, Clyde Frog can figure out your RNG state and predict what key you will generate for your TLS session. That's how they obtain the private key.
Indeed. So the issue here is to deduce the symetric keys generated with a Cryptographically Secure Psoeudo Random Function (CSPRF) seeded with information exchanged during the initiating handshake and using the respective public and prvate keys, without having any private keys.
Imagine now that with a handfull pseudo random bytes sent in clear with the TLS protcol an eavesdropper could deduce the internal state of the CSPRF and thus the symmetric keys. They could decrypt the channel.
I hate to ask a dumb question, but the article discusses the actions of Clyde Frog a lot. Is Clyde Frog a person, a company, a government project, or what? A web search found a TV show and a stuffed animal, so I'm honestly puzzled.
Edit: thanks cmg. I was reading the article on my phone and the side notes were off screen so I totally missed the explanation.
Back in the late 90s, there was a huge collaborative effort to break DirecTV's content controls. People would hack DTV smart cards, and then DTV would break the hacks, and there was an arms race for several years, during which, if you wanted, you could reprogram your DTV smart card to get all the local channels in every DTV market, and then program your DVR to record 18 episodes of The Simpsons every day, and I digress.
Anyways: for the DTV hackers, the adversary, DTV and its security contractors, were called "Dave".
I always liked that, so I figured, let's give our global adversary a name.
First time I've ever seen sidenotes done like that.
BTW, screen reader users (i.e. blind people) can't possibly miss the sidenotes; in fact, each sidenote will interrupt the text at the point where the note is most relevant. So a screen reader will render the first sentence like this:
Did Clyde Frog
If I call NSA “Clyde Frog” long enough, eventually other people will too. Someone has to start the meme!
subvert crypto standards with a backdoored random number generator called Dual_EC?
A little jarring when first encountered. (In my case, because I have some usable vision, I could tell what was going on.) I'd suggest sticking with more conventional footnotes, but I can see why this form of sidenote was appealing.
It also happens if you use "Reader" mode in Safari. It was very strange, but I caught on once I looked at the article in regular mode and it wasn't there.
Do screen readers do any special handling of parentheticals? For a note that short, I wouldn't have been surprised if it were inserted inline in parentheses.
I'm actually a South Park fan and I was chuckling when I read Clyde Frog initially (before the side notes) because I assumed it was an employee/contractor who was involved with these developments. My initial reaction was to wonder how much he hated South Park after they introduced CF. I could get behind Clyde Frog being an NSA alias for shits and giggles.
Good for you, that's the exact same link I posted, and if you'll read the whole bug report like I did, you'll see that I'm not the one who reported it, nor the one who reported the duplicate.
So why do you believe that Mozilla shouldn't remove NSA stooges and partisans from their software and audit their contributions? Doesn't that fall under their mission to "protect Firefox from the NSA"?
To ensure that no one can inject undetected surveillance code into Firefox, security researchers and organizations should:
regularly audit Mozilla source and verified builds by all effective means;
establish automated systems to verify official Mozilla builds from source; and
raise an alert if the verified bits differ from official bits.
[...] Through international collaboration of independent entities we can give users the confidence that Firefox cannot be subverted without the world noticing, and offer a browser that verifiably meets users’ privacy expectations.
You should be embarrassed. What kind of a person writes things like this? You literally have no idea who you're talking about. You saw a name once in a story somewhere, projected a whole backstory onto that name out of your own febrile imagination, and now here you are, lobbying to make everyone else honor your delusions.
To paraphrase: "A implies B, now I'll write a bunch of stuff about why B matters even though that's not under dispute." (Your point of disagreement regarding questions of fact is A.)
Your weakness here (in arguing for B) is the possibility that A is false. That you take A as a premise is evidence enough that you know your belief in A is without basis.
It's amazing that, even though people should be more grateful to open-source projects for providing them a bunch of stuff for free, somehow certain members of the public feel that because the project is "open source" it gives them the right to demand the project to be run the way they want it, including kicking out the Unclean.
I can't reproduce this bug. I tried installing Firefox and did not get Eric Rescorla, so I think he's been removed already. Kind of disappointing, I wanted an autographed copy of RFC 5246.
It may be my (somewhat archaic) sense of crypto humor, but any time I read the term "Dual EC", my mind says "CE lauD", making it sound like someone saying the word "cloud" with an accent expressing a lot of disdain[1].
Anyway, the Dual EC backdoor, if real, along with the extra randomness, may yet prove to be part of "the gubment's" very own cloudbusting operation, to make cloud services rain users' secrets at the push of a button...
Doesn't this essay absolutely bury one of the most important parts of this scandal, that RSA used DUAL_EC as the default random number generator in their FIPS certified encryption product for almost a decade!?! I note that this is glossed over with a description so marginal I would tempted to call it dishonest if I were not trying to apply the principle of charity to its author. "RSA BSAFE had support for DUAL_EC." Support!? Uh no, it used it as the default generator.
"I lean towards “not”; the structure of these proposals makes Clyde Frog’s job needlessly harder, if only by practically ensuring that OpenSSL and Schannel would never default to enabling them. But people smarter than me are convicted of the idea that this was a backdoor attempt." Well yeah it would make their job harder unless one of the largest security companies in the world used that random generator in their flagship encryption product!!!
I feel like maybe their are better arguments for why this was not a subversion attempt, but honestly the points for seem so, so strong and the points against seem like a mountain of wishy-washy humming and hawwing and extending the principle of charity even in the face of the above mentioned giant blaring klaxon of wrong-doing. I will still not say that reasonable people can't disagree over the question at hand but the arguments presented in this article don't strike me as being anywhere near strong enough to make this the sort of grey area the author would like.
jgon, maybe you're also reading this on a mobile client.
tptacek's first side note on the right column is that his opinion is that DUAL_EC_DRBG is an NSA backdoor. Far from burying the most important part of the scandal, he puts it front and center. This discussion is about other proposed extensions to TLS, not DUAL_EC_DRBG.
It might be too late, but I recommend you edit your comment to change "Extended Random" to DUAL_EC_DRBG (the random number generator). Extended Random is an extension proposed by the NSA (Clyde Frog).
> I will still not say that reasonable people can't disagree over the question at hand but the arguments presented in this article don't strike me as being anywhere near strong enough to make this the sort of grey area the author would like.
You have three negations in this sentence, which means it's nearly impossible to parse or understand. It's been my observation statements like these follow rationalizations about a point in which there exists dissonance. Given you seem to be disagreeing with something Thomas said or the way he said it, but not actually disagreeing with a point he made, I'd say that is the case here as well.
Violations of our privacy via rationalizations of security makes me sad and bored. I think we can all agree that things could be better with the situation, and I for one appreciate Thomas' efforts in bringing the truth to light.
> I will still not say that reasonable people can't disagree over the question at hand but the arguments presented in this article don't strike me as being anywhere near strong enough to make this the sort of grey area the author would like.
I didn't think it was that hard to read. It made sense on my first read, but here's my translation:
"I can see how arguments exist on both sides, but I don't think the author supported his argument with enough evidence to make it very relevant."
