Comments

Anon September 9, 2021 8:13 AM

I don’t known why the NSA thought they could get away with backdooring Dual_EC_DRBG.
It was obvious to many at the time… but they were just afraid of public accusations and the drama around that.

Clive Robinson September 9, 2021 8:40 AM

@ Anon,

It was obvious to many at the time…

What was “obvious” to “who?” and “when?”.

From memory,

What was coming out was that a member of a NIST committee who worked for the NSA so alienated others on the committee that formal complaints were made about the persons behaviour.

NIST decided to ignore the complaints and even another standards body that had rejected the algorithm because it was technically crap being slow and taking up more resources than was desirable. Things ground on and NIST approved the DRBG for reasons still unexplained.

Neils Ferguson whilst developing another crypto system realised there was something in the maths that did not sit right. And independent of what was going on at NIST came up with an idea of how to put a covert channel in certain types of system[1].

Then the fun started…

Eventually NIST with a very red face reissued the standard without that NSA algorithm.

[1] Very basically the asymetric algorirhm primatives used have a significant redundancy problem, and where there is redundancy covert channels can be fairly easily placed. If you want to know more there is research going back to the 70’s Adam Young and Motti Yung wrote an easily redable book and publishd several papers about “key stealing”. Niels Ferguson has also published papers and was co-auther in books that cover DRBG’s in some depth. Likewise our host.

metaschima September 9, 2021 1:29 PM

So much for defending national security. This is an epic example of the NSA working against US national security goals. Their crappy backdoor allowed China to hack US systems. Epic fail as usual for the NSA. Br aware that they infect, or attempt to infect, anything to they touch. I avoid any crypto that has the NSA stamp of approval, usually the winners of national crypto contests. Makes perfect sense though. Cripple them before they even get off the line. The NSA only seems to care about intelligence, not national security. They are not the same. Gaining one at the cost of the other is a major error.

lurker September 9, 2021 2:47 PM

Yet another failure on the simple-minded approach. Couldn’t even get the name right. Who would trust an oxymoron? “Deterministic” “random” bs generator…

TimH September 9, 2021 3:29 PM

Don’t worry, MS removed the Elephant Diffuser from BitLocker, limits the PW length to 20 chars, and it defaults to AES-128.

The Tech Dummy September 9, 2021 3:44 PM

@ Anon
What do you mean by “get away with”?
To me, if they aren’t stopped, they have gotten away with it. Whatever “it” you’re talking about.

@metaschima
if it’s done on purpose, is it really an error?

echo September 9, 2021 4:47 PM

This kind of thing happens within bureaucracies all the time. It can also happen within juries. One strong personality who relies on bluff and bluster to push something through can sway group opinion when people are ignorant of the mechanics or facts. It’s actually a bit more subtle than that. It can involve other psychological weaknesses such as careerism or a natural desire to avoid confrontation.

Yes you can have situations where a person with a job title or who has experience where you think they should know better does the total opposite of what they should do.

Over time you can have people flip flop so they will say one thing at a meeting one year and the next time the issue comes up they will say the complete opposite.

Arguing the technicalities and technology isn’t only a distraction it’s boring. Constantly going on about it it won’t solve anything as it’s the wrong problem. I’m also findig the Cassandra like wailings very wearing. We know what happened. We know who did it. The technical issue was fixed but the real problem hasn’t gone away.

Unlike most people I have actually read court judgments and committee transcipts and case studies and reports of this subject. I have read the before and after. The history and context. Believe me you will not find any answers in books on maths or technical manuals and certainly not within asituation where the science and best practice and cosensus is shifting which it does and does quite often.

A lot of people are confused about and misunderstand what “political” is. “Politicial” in law is that which is not law. A whole lot of unprofessional and reckless and inadequate stuff can hide behind “political” in all its forms from top to bottom and left to right, at national, organisational, and individual levels. It is important to understand what “political” is both high politics and the more routine office politics.

It will happen again and again until you fix the real problem. No matter how hard you stare at a Juniper router under an electron microscope you’re never going to find it.

echo September 9, 2021 5:39 PM

@TimH

Don’t worry, MS removed the Elephant Diffuser from BitLocker, limits the PW length to 20 chars, and it defaults to AES-128.

I noticed that and it’s a fiddle to get Bitlocker to use AES-256. I recall the excuse was something only the lines of making it easier for end users while “serious” business users will use AES-256. TPM default behaviour was acceptable given general use cases. The curious thing is how Microsoft suddenly discovered everyone needed cutting edge gimlet eyed tough talking “duck and roll” security and obsoleted anything but a new computer with the latest version of Windows.

There is an inconsistency here and as any lawyer or prosecuting authority will tell you this is not indicative of a lie but it’s certainly a good clue if there are lies.

The technology is a distraction. The reason is political whether it’s on a nod and a wink or whether it is simply a cleverly disguised form of bribe to vendors.

The last thing they want is people calling them out.

AG mercury September 9, 2021 5:58 PM

Assume purposed encryption standards are broken and employ a multilayered encryption approach. I don’t have pointers to fully backup my reasoning (think it was in either a Defcon talk or on a Hope talk) but I recall Peiter Zatko [1] arguing that multi-layer-encryption may backfire while not providing any mathematical arguments. This is just simply stupid since not only any encryption algorithms should protect you’re plaintext it should also protect you from your own standard/custom encryption/code. Also .Mudge worked for the Pentagon and supposedly wanted to cooperate with USGOV to ease on hackers (look at l0pht history/biographies -> I would advise CountZero BBS stories on archive.org.) See how is that working with Assange /funny fact: he had lunch with Assange during Chaos Computer Club conference – harvest Defcon conferences for the story.

What I’m trying to say here is that as we realized with Dual_EC_DRBG, some effort is put into backdooring a system while making it difficult for others technically knowledgeable to exploit it. Not only that difficulty is made technically (computationally/energy/resource effort) but also by influencing/propaganda others on the field. Either by standards or in the hacker culture itself. That’s why TOR is broken [2], That’s why Cult of the Dead Cow was infiltrated by CIA (see Hong Kong Blonds fabricated story by a known CIA operative [3])

[1] https://en.wikipedia.org/wiki/Peiter_Zatko
[2] https://en.wikipedia.org/wiki/Traffic_analysis
[3] https://en.wikipedia.org/wiki/Oxblood_Ruffin

Clive Robinson September 9, 2021 6:08 PM

@ echo, ALL,

One strong personality who relies on bluff and bluster to push something through can sway group opinion when people are ignorant of the mechanics or facts.

Funny you should bring that up.

Especially when I was pointing out exactly that, just a few days ago with alleged experts of eminence or other status.

Also funny you should bring up,

Over time you can have people flip flop so they will say one thing at a meeting one year and the next time the issue comes up they will say the complete opposite.

Less as well, not even sure it is a week with you.

But,

Arguing the technicalities and technology isn’t only a distraction it’s boring. Constantly going on about it it won’t solve anything as it’s the wrong problem. I’m also findig the Cassandra like wailings very wearing. We know what happened. We know who did it. The technical issue was fixed but the real problem hasn’t gone away.

Is certainly a continuation of you being rude at people who have not said or done anything against you.

You’ve also claimed falsly that others have copied you, yet what you are saying is the same but less succinct than,

“Technology is agnostic to use.”

“It is the Directing mind that decides the use good or bad.”

“It is the observers view point that decides if good or bad, moral or ethical.”

“Static technology is out evolved by thoughtfull humans”

“Technology can not solve social issues.”

And similar, that appear on this blog from time to time

Oh by the way look up the etymology of “political” it has the same root as police. Which is “polity” from the Latin “politicus” which actually means “citizen of society”. But also gave us “politikon zōon” of Aristotle, meaning Political Animal.

One thing that is funny though, you claiming to be so knowledgeable about the law, whilst hiding behind anonymity, and claiming people have ripped you off… How about you look up what happened to Banksy,

https://copyrighthouse.org/banksy-is-losing-copyright/

“Copyright cannot be done without a true identity as then, you cannot be identified as the unquestionable owner of the works.”

Whilst I’ve always used my name and could be contacted through this blogs host, you have chosen to hide behind an anonymous handle.

Thus we have the irony of some one with out copyright of any form claiming to be ripped off by another person who does have copyright, then has the temerity of ripping off the person who has copyright.

Oh and if you actually know someone with the required legal knowledge which you clearly do not have, what are the other effects with regards harrasment and discrimination? Apparently the thinking is that a “willfully anonymous” person such as you has no rights under the legislation…

Another point you should note in that log you claim you are keeping.

Clive Robinson September 9, 2021 6:58 PM

@ AG Mecury,

but I recall Peiter Zatko [1] arguing that multi-layer-encryption may backfire while not providing any mathematical arguments.

The argument is valid, and you do not need mathmatical arguments.

Take the very basic crypto primitives of,

1, Exclusive (XOR),
2, Addition (ADD),
3, Rotation (ROT),
4, Multiplication (MUL).

That are used in set of numbers that are 2^N or Prime in size.

It’s not difficult to see that each one of those primatives,can be negated by repeate application of the function.

Now consider the slightly more complex fundemental building block of most block ciphers the Fiestel Round.

It is simply the successive application of the XOR function. All it’s cryptography strength comes from the “One Way Functions”(OWF) and “Key Expansion” blocks. If they are defective then the Rounds will not have any strength.

But even if the OWFs are very secure, the way the rounds work it’s clear to see that the Key Expansion is the same for both Encryption and Decryption it’s just the order they are applied. Therefore with a poor Key Expansion one round could encrypt and the next round decrypt it again.

Obviously chaining like functions is fraught with issues.

But even using different functions can get you in trouble.

If you look at XOR and ADD the actual “Least Significant Bit”(LSB), is identical in behaviour. That is the XOR or “half adder” is the same as a “full adder” without “carry input”. Whilst it’s always true of the LSB it can also be true of other bits. Likewise for AND and MUL.

Thus care must be taken when you “chain ciphers” just as much as when you chain “crypto primatives”.

You will sometimes hear the advice that the functions you are chaining should be “orthogonal to each other” whilst true as can be seen with XOR/ADD and the LSB you have to actually know the functions quite intently.

If you want a more in depth and mathmatical argument look up why we have DES and 3DES but not 2DES.

I hope that helps?

Jesse Thompson September 9, 2021 9:11 PM

@Clive Robinson

What was “obvious” to “who?” and “when?”.

Well, the unacceptably high probability of a backdoor placed into Dual_EC_DRBG by the NSA was sufficiently well known in 2007 for Bruce to write up his post, and in 2005 for DJB to invent ED25519 as a rebuttal.

While it may have already just made the standards track by then, this was early years in implementation for most businesses and government agencies so folks like Juniper rolling forward despite this clarifies lack of concern about real security (and in the case of huge equipment manufacturers, most likely just being directly coopted by the NSA from the get go..)

ED25519 was designed to use sufficiently low entropy constants that the back door method used by the NSA should be impossible (no entropy in which to hide the hidden back door; the constants are no larger than they need to be to do their jobs).

Luckily, ED25519 made enough of a splash to become the default SSH key algorithm used by OpenSSH, among other in-roads so that folks would actually have some more options.

@The Tech Dummy

To me, if they aren’t stopped, they have gotten away with it. Whatever “it” you’re talking about.

I think in this context “get away with it” meant “maintain the NOBUS status of their exploit”. Seeing as how China was able to infiltrate the back door NSA implanted, everyone gets a bright, shining example of how no matter how carefully a backdoor is crafted, it’s always going to be a prime infection vector and undermine not only the security of the patsy, but also of the backdoor architect.

After all, this is a direct corollary of Kerckhoffs’s principle. A backdoor must be secret and obscure by definition (lest it is just a front door), so presuming that an adversary (either the patsy OR the enemy states, arbitrary criminals, etc) doesn’t know its details is an act of self-delusion.

And letting the back door be a second front door hardly helps either, because once everyone knows the details of the second door used by the Nanny, they’ll immediately design a version without that door to use instead and be on their merry way.

There exists no way to successfully implement communications that will be used by people without their painstaking volunteer participation which are transparent only to the governing body. Either the users (especially the ones one wants transparency of the most .. the ones who wouldn’t participate in transparency if any other option were available) will find out how to make communication opaque to the governing body, or the transparency will be available to basically the entire world making all effort above plaintext a waste of time to implement.

That is why NOBUS transparency is the wrong problem for anyone to try to solve instead we need to suck it up and perfect governing and trying crimes and protecting the populous in a world where that feature is simply not available.

echo September 9, 2021 9:32 PM

@Clive

Funny you should bring that up.

Especially when I was pointing out exactly that, just a few days ago with alleged experts of eminence or other status.

Also funny you should bring up,

I’ve been avoiding reading your stuff because of triggering one your famed “certified professional” pile ons.

You should also know better than to cite a legal commentary especially the legal commentary you picked which is, broadly speaking, self-serving spin as you have done as authoritative. I’m not making claims and I am not hiding and beyond the words you read on the screen you are entitled to nothing. I really do suggest you go and have a chat with your barrister friend on your time.
Your barrister friend should also be able to point out to you the areas of your content which are opinion (i.e. not law) and the areas of content only a judge is allowed by law to use in their summing up (i.e. you are not presenting legal argument and nor is it law). It’s basic stuff even a junior solicitor should be able to answer but again you can enquire about this on your time. Banksy’s lawyer wasn’t very well prepared either but this is not unusual or unique. It’s often so when cases involve disparate arguments and rote learned solo mentality lawyers tend to miss these things. It’s also noticeable to other lawyers which, again, your barrister friend should confirm is a complaint even among lawyers and, again, on your time.

So bit of a fail so far. I’d quit before you humiliate yourself further.

The current case on Texas and abortions caught my eye. The most significant aspect is constitutional law and as I have been saying the US constitution in principle and in practice has weaknesses including but not limited to UN Human Rights obligations not being brought into law. The UK has similar problems although to a much lesser degree on this point. And this I feel is actually the real argument behind this small technical issue with Juniper routers and administrative issues up to political direction. It can get subtle and academic very quickly and all the maths on the planet won’t help for reasons previously stated. I also feel this case is significant in the sense it is a legal pinch point for administrative abuse and far right influence which manifests in corruption and the rise in violence. It’s not a case I would have picked but then I wasn’t the one who started that fight.

Juniper routers and abortions may seem worlds apart to those who want to grind their teeth and mutter darkly about technology but I find these things are not far apart from each other.

I can understand your frustrations with respect to how the system seems to work but I think you need to step out of your toolshed. And to some degree this is what you missed when I mentioned Operation Mincemeat. Knowing something is possible is not about the second mouse getting the cheese. It unlocks possibilities and imagination and creativity, a sense of purpose, and invention. Operation Chariot was plagued with problems at this level but the people driving the operation knew this as well as arguing the fact it was deemed impossible is what made it possible. Now, this is not an excuse to throw sanity or caution to the wind but I know from experience where people are free to imagine and free to be themselves and there is a sense not just of same goals but compatibility and being on the same wavelength then magic can happen. It doesn’t always happen immediately. You don’t always get direct feedback. Sometimes part of the discovery is learning other people in different places have similar ideas.

Seriously, I cannot find a thing you regularly bang on about which doesn’t have at least one group working on it. I’ve even posted links. There are things which agitate me no end and believe me there is a long and very noisy and fractious discussion behind this but people are now working on these too. I don’t discuss them because there is no point. There’s actually a third case out there I’m following which cannot be discussed because of strict contempt of court issues which could derail the case. It’s generally acknowledged there are effectively less than a dozen experts worldwide who are even worth talking too and I’ve mentioned this before on this blog before reading today somewhere else saying this is indeed the view of the acdemic community in some circles. It’s not because it’s hugely difficult itself but the amount of bikeshedding from “certified professionals” throwing their weight about which makes it difficult.

I’ve found ordinary people can and do get things. They’re not stupid. They don’t need to swallow a book of maths or read a million academic papers or go through rote learned hazing to obtain “certified professional” status to get it. See also Mançur Olson (an American economist and political scientist) when discussing complex organisations. No he’s not the first and only person to make these kinds of observations but that’s politics for you. I’m also not that pessimistic.

Make of this what you will.

https://www.jstor.org/stable/20111949
The Rise and Decline of Mancur Olson’s View of “The Rise and Decline of Nations”

https://www.aei.org/articles/was-mancur-olson-wrong/
Was Mancur Olson Wrong?

echo September 9, 2021 11:01 PM

@Jessee Thompson

That is why NOBUS transparency is the wrong problem for anyone to try to solve instead we need to suck it up and perfect governing and trying crimes and protecting the populous in a world where that feature is simply not available.

This I think is getting closer to the point and one I would encourage people to explore more rather than falling down the navel gazing technology rabbit hole.

I always point towards the European Convention and the foundation EU treaties as human rights and security models simply because it saves a lot of explaining. But I’m not going to read them for anyone. If anyone has a link which rolls everything up in one page in one place feel free.

Unless people have a rounder view they’re just going to keep bikeshedding the technology and going around the same old memes. But anyway it was about a committee meeting years ago. I’ve read minutes of this kind of thing which wouldn’t pass muster today. To some extent the goalposts have shifted at least in the UK where government has concentrated power and shifting again as ministers use self-deleting messages on the smartphones. This is currently being challenged in the courts and we will have to wait to see how this goes. Oh, and our snide home secretary is trying to do an end run on international maritime law at the moment. To some degree I feelmany of these technology discussion go “OMG computers” and peoples brains switch off. It’s like discussing refugee boats with boat enthusiasts who would spend all day talking about the HP of the engine and miss the bigger picture.

It’s a hard calculation for a lot of people. This kind of thing isn’t exactly new as it’s been around for years but the uptake is slow and few people are used to thinking through problems which involve these kinds of calculations as generally speaking this are outside of their routine work or social or political experience. It can take a while for it to enter the common dialogue or become part of the frameworks of governance or design and so on which whether we admit it or not form a large part of our unconcious decision making directly or indirectly.

Cassandra September 10, 2021 3:56 AM

“I’m also findig the Cassandra like wailings very wearing.”

Cassandra was condemned to utter correct prophecies that everyone ignored. So finding such wailings wearing is apposite.

Cassie

+++

On a security-related point, has anyone got any good resources around IoT security? The problems are myriad, with ‘low power’ devices unable to do public-key encryption, and more capable devices ‘needing’ to rely on third-party CAs, which implies public network connectivity requirements, and trusting organisations you might not want to trust. SSH has a primitive, but workable ‘Trust on First Use’ (TOFU) model: web-browsers using https don’t (which is an ‘interesting’ lacuna).

Clive Robinson September 10, 2021 7:37 AM

@ Cassie,

Cassandra was condemned to utter correct prophecies that everyone ignored.

They were only ignored because of “Apollo’s curse”. I think you’ve not been cursed by Apollo 😉

As for Jung’s much later imaginings, there are some places it’s wise not to go.

But down to the technical issue…

IoT security is a joke for three main reasons[1],

1, The product developers either do not care or do not understand security.
2, The product users either do not care or do not understand security.
3, IoT decices are very deliberately resource limited by the developers to reduce cost.

It looks like the problem you want info on is a “Root of Trust” issue, which applies everywhere not just to IoT.

It is one of those “Turtles all the way down” or “lesser fleas” ‘ad infinitum’ issues that may never be solved technically. It is after all at root a “social issue” from how humans do “first contact”. We are for some reason predisposed to “trust” without question which can be good or bad depending on your viewpoint.

As I frequently say,

1, Technology is agnostic to use,
2, It is the Directing mind that decides use,
3, The observer who decides if that use is good or bad.

So we get to “Abdication of Responsability” which is what TOFU realy is. That is the developers know “authentication is trouble” for a whole dung heap of reasons, so they simply “fork it over the wall” and “make it “Somebody Elses Problem”(SEP)[2].

When you accept both “ad infinitum” and “SEP” your problem becomes a “Where do I want to set my water mark?” question.

When you decide the answer to that “Social Quandary”, then you can look at “technical solutions”.

So,

What’s your watermark?

That is how much social and technical pain do you want to aquire in exchange for the thankless task of protecting users from themselves?

Then you can decide what resources are needed to hold that watermark in place.

With BOM’s on some mobile phones with cameras, dual SIM slots, Memory Card slot, WiFi, Bluetooth and USB interface being down in the sub $10 range, it’s easy to see that any IoT device is going to have, to have an extraordinarily low BOM to compeate or offer some unique feature to get market share.

Thus “the cost of trust” needs to be as close to zero as you can make it, unless you can figure a way to turn that aspect into a profit center[3].

So from a generalised perspective use the SEP principle to throw trust choices entirely on the user. Then use the lowest technical solution you can get away with to meet any security requirments.

Far from ideal I know but that is basically what the IoT market does.

[1] I know some people will knee jerk response in opposition to that analysis but unless they come up with a new argument they are going to fail. The “Managment says…” is not a new argument, managment are after all the “developers” all be it further up the hierarchy. That is the use of “developers” as a term in the analysis applies to all those who are involved with producing the product for manufacture, not just hardware & software people.

[2] My thanks to Douglas Adams keen eye and sense of the absurd for turning Somebody Elses Problem into the notion of a “SEP Field” thus starting SEP into a valid technical term 😉

[3] One notable IoT feature in more featurfull devices than light bulb controlers is the “ET Phone Home” or “Mothership” model. The device implicitly trusts an Internet Server which the user directly or indirectly pays to access for the IoT device to work. The Amazon Ring system is an example of this, where the payment is in part “Loss of Privacy” not just for the purchaser but anyone who comes within a couple of hundred meters of it. Amazon collect the video feeds, and makes them available to amongst others Law Enforcment Agencies and National Security entities, presumably at some suitable profit.

Clive Robinson September 10, 2021 10:05 AM

@ Jesse Thompson,

Either the users … will find out how to make communication opaque to the governing body, or the transparency will be available to basically the entire world making all effort above plaintext a waste of time to implement.

1 : It can be shown –as I have on this blog– that as long as you can,

1.1, Put an appropriate security layer ontop of the communications layer
1.2, Prevent a third party getting past the securty end points of that layer.

Then you can have secure communications.

2 : The “governing body or other third party only gets access if,

2.1, They can break the security
2.2, Get to the plaintext side of the security endpoint
2.3, They suborn the second party into betrayal (realy the same as 2 above).

3 : Front doors and backdoors can only work where there is both,

3.1, The plaintext / KeyMat.
3.2, Access from a communications path.

With modern Smart Devices and their connectivity these two are usually a given with a normall user.

4 : User Security is rarely a users consideration, because they want,

4.1, Convenience of a single device
4.2, Convenience of many applications.

What users consider “ease of use” breaks nearly every security rule there is, with the result that ordinary users are easy prey not just for Government Agencies / Law enforcment, but every two-bit crook who can type on a keyboard.

5 : Gaining User security thus privacy and all that follows on.

5.1, Move the security end point off of the communications end point device.
5.2, Use a secure crypto system for the security layer.

Whilst moving the security end point is fairly easy, finding a place which is secure to move it to is a lot harder. Because the user has to learn OpSec and follow the rules tightly and without fail. Unfortunately over and above good OpSec the user has to learn how to use and maintain the security of the crypto system. For some this is harder than OpSec and they will not stick with the rules because “Convenience is King”.

Andy September 10, 2021 10:45 AM

You do wonder if the Politicians, who ultimately authorise this stuff. Get to hear opposing views to those of security folks; not just from the manufacturers and businesses this has the potential to undermine trust in, costing billions in lost sales, oft. to Chinese and European rivals.I.e.,people like Bruce Schneier et al, people who are more objective about the pros and cons of such backdoor-ing.

MEC September 19, 2021 6:34 PM

Simple question from a security layman. Seeing how the EC_DRBG backdoor was an essential element of the Juniper hack, I wonder about the various VPN service providers marketing their OpenVPN-ECC protocol feature. If the EC_DRBG was backdoored, how shall us lay-people think about any VPN or security product being marketed with ECC “buzz?” As a simple conservative default, I am inclined to avoid any products, products or product configurations that involve the use of ECC as I am not savvy enough to unwrap and understand the difference between the the random bit generator, the seed values and how then ECC is actually deployed in a commercial VPN service. Many thanks for any insight to this neophyte question.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.