Handbook of Applied Cryptography Online
The Handbook of Applied Cryptography is now available online—legitimately. This is a good book, and well worth downloading.
Entries Tagged "books"
Page 15 of 16
The Strange Story of Dual_EC_DRBG
Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.
Generating random numbers isn’t easy, and researchers have discovered lots of problems and attacks over the years. A recent paper found a flaw in the Windows 2000 random-number generator. Another paper found flaws in the Linux random-number generator. Back in 1996, an early version of SSL was broken because of flaws in its random-number generator. With John Kelsey and Niels Ferguson in 1999, I co-authored Yarrow, a random-number generator based on our own cryptanalysis work. I improved this design four years later—and renamed it Fortuna—in the book Practical Cryptography, which I co-authored with Ferguson.
The U.S. government released a new official standard for random-number generators this year, and it will likely be followed by software and hardware developers around the world. Called NIST Special Publication 800-90 (.pdf), the 130-page document contains four different approved techniques, called DRBGs, or “Deterministic Random Bit Generators.” All four are based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. It’s smart cryptographic design to use only a few well-trusted cryptographic primitives, so building a random-number generator out of existing parts is a good thing.
But one of those generators—the one based on elliptic curves—is not like the others. Called Dual_EC_DRBG, not only is it a mouthful to say, it’s also three orders of magnitude slower than its peers. It’s in the standard only because it’s been championed by the NSA, which first proposed it years ago in a related standardization project at the American National Standards Institute.
The NSA has always been intimately involved in U.S. cryptography standards—it is, after all, expert in making and breaking secret codes. So the agency’s participation in the NIST (the U.S. Commerce Department’s National Institute of Standards and Technology) standard is not sinister in itself. It’s only when you look under the hood at the NSA’s contribution that questions arise.
Problems with Dual_EC_DRBG were first described in early 2006. The math is complicated, but the general point is that the random numbers it produces have a small bias. The problem isn’t large enough to make the algorithm unusable—and Appendix E of the NIST standard describes an optional work-around to avoid the issue—but it’s cause for concern. Cryptographers are a conservative bunch: We don’t like to use algorithms that have even a whiff of a problem.
But today there’s an even bigger stink brewing around Dual_EC_DRBG. In an informal presentation (.pdf) at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described as a backdoor.
This is how it works: There are a bunch of constants—fixed numbers—in the standard used to define the algorithm’s elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.
What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.
The researchers don’t know what the secret numbers are. But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem.
Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants—and has the secret numbers. We don’t know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does.
We don’t know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there’s no way for NIST—or anyone else—to prove otherwise.
This is scary stuff indeed.
Even if no one knows the secret numbers, the fact that the backdoor is present makes Dual_EC_DRBG very fragile. If someone were to solve just one instance of the algorithm’s elliptic-curve problem, he would effectively have the keys to the kingdom. He could then use it for whatever nefarious purpose he wanted. Or he could publish his result, and render every implementation of the random-number generator completely insecure.
It’s possible to implement Dual_EC_DRBG in such a way as to protect it against this backdoor, by generating new constants with another secure random-number generator and then publishing the seed. This method is even in the NIST document, in Appendix A. But the procedure is optional, and my guess is that most implementations of the Dual_EC_DRBG won’t bother.
If this story leaves you confused, join the club. I don’t understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It’s public, and rather obvious. It makes no sense from an engineering perspective: It’s too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.
My recommendation, if you’re in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances. If you have to use something in SP 800-90, use CTR_DRBG or Hash_DRBG.
In the meantime, both NIST and the NSA have some explaining to do.
This essay originally appeared on Wired.com.
Hollow Books
I made my own as a kid. These are much nicer. You can even order your hollow book by topic, the better to blend it into the rest of your library.
1624 Cryptography Book Up for Auction
Rare 17th Century work on Cryptography
Title: Cryptomenytices et cryptographiae libri IX. In quibus & planissima Steganographiae à Johanne Trithemio, abbate Spanheymensi & Herbipolensi, admirandi ingenij viro, magicè & aenigmaticè olim conscriptae, enodatio traditur. Inspersis ubiquè authoris ac aliorum, non contemnendis inventis…
Author: Selenus, Gustavus [pseud. of August, Duke of Braunschweig-Luneburg]
Auction on September 13. Estimated price $5,000-$8,000.
EDITED TO ADD (9/13): A partial English translation.
Profile of Schneier
There was a profile of me in the St. Paul Pioneer Press on Sunday.
I’m pretty pleased with the article, but this is—by far—my favorite line, about Applied Cryptography:
“The first seven or eight chapters you can read without knowing any math at all,” Walker said. “The second half of the book you can’t export overseas—it’s classified as munitions.”
It’s not true, of course, but it’s a great line.
There’s also this in the Providence Journal.
Ross Anderson's Security Engineering
Ross Anderson’s Security Engineering is a great book. And I’m not saying that because I wrote the foreword. Since it was published in 2001, I have regularly recommended it to engineers interested in security.
None of this is news. What is news is that you can download the book, free and legally.
1963 FBI Fingerprint Book on Project Gutenberg
The Science of Fingerprints: Classification and Uses, FBI, 1963. Introduction by J. Edgar Hoover.
You can buy a real copy here.
Causes of Suicide Terrorism
Here’s an absolutely fascinating interview with Robert Pape, a University of Chicago professor who has studied every suicide terrorist attack since 1980.
RP: This wealth of information creates a new picture about what is motivating suicide terrorism. Islamic fundamentalism is not as closely associated with suicide terrorism as many people think. The world leader in suicide terrorism is a group that you may not be familiar with: the Tamil Tigers in Sri Lanka.
….TAC: So if Islamic fundamentalism is not necessarily a key variable behind these groups, what is?
RP: The central fact is that overwhelmingly suicide-terrorist attacks are not driven by religion as much as they are by a clear strategic objective: to compel modern democracies to withdraw military forces from the territory that the terrorists view as their homeland. From Lebanon to Sri Lanka to Chechnya to Kashmir to the West Bank, every major suicide-terrorist campaign—over 95 percent of all the incidents—has had as its central objective to compel a democratic state to withdraw.
….TAC: If you were to break down causal factors, how much weight would you put on a cultural rejection of the West and how much weight on the presence of American troops on Muslim territory?
RP: The evidence shows that the presence of American troops is clearly the pivotal factor driving suicide terrorism.
If Islamic fundamentalism were the pivotal factor, then we should see some of the largest Islamic fundamentalist countries in the world, like Iran, which has 70 million people—three times the population of Iraq and three times the population of Saudi Arabia—with some of the most active groups in suicide terrorism against the United States. However, there has never been an al-Qaeda suicide terrorist from Iran, and we have no evidence that there are any suicide terrorists in Iraq from Iran.
….TAC: Osama bin Laden and other al-Qaeda leaders also talked about the “Crusaders-Zionist alliance,” and I wonder if that, even if we weren’t in Iraq, would not foster suicide terrorism. Even if the policy had helped bring about a Palestinian state, I don’t think that would appease the more hardcore opponents of Israel.
RP: I not only study the patterns of where suicide terrorism has occurred but also where it hasn’t occurred. Not every foreign occupation has produced suicide terrorism. Why do some and not others? Here is where religion matters, but not quite in the way most people think. In virtually every instance where an occupation has produced a suicide-terrorist campaign, there has been a religious difference between the occupier and the occupied community.
….TAC: Has the next generation of anti-American suicide terrorists already been created? Is it too late to wind this down, even assuming your analysis is correct and we could de-occupy Iraq?
RP: Many people worry that once a large number of suicide terrorists have acted that it is impossible to wind it down. The history of the last 20 years, however, shows the opposite. Once the occupying forces withdraw from the homeland territory of the terrorists, they often stop—and often on a dime.
Pope recently published a book, Dying to Win: The Strategic Logic of Suicide Terrorism. Here’s a review.
UPDATED TO ADD: Salon reviewed the book.
Secrets and Lies Review
Even though it’s five years old, here’s a new review of my previous book: Secrets and Lies.
Beyond Fear Review
Here’s a new review of Beyond Fear.
Sidebar photo of Bruce Schneier by Joe MacInnis.