dual ec drbg and nist crypto process review
play

Dual EC DRBG and NIST Crypto Process Review John Kelsey, NIST 1 - PowerPoint PPT Presentation

Aug 26, 2023 •28 likes •388 views

Dual EC DRBG and NIST Crypto Process Review John Kelsey, NIST 1 Three Stories How Dual EC got into our standard What we did when we realized what had happened What we're doing now 2 What's the Issue? NIST and NSA coauthored a

  1. Dual EC DRBG and NIST Crypto Process Review John Kelsey, NIST 1

  2. Three Stories • How Dual EC got into our standard • What we did when we realized what had happened • What we're doing now 2

  3. What's the Issue? • NIST and NSA coauthored a set of standards on cryptographic random number generation. • NSA provided Dual EC DRBG. • Many reasons we should have rejected or modified Dual EC DRBG – Instead, we left it in. • News stories based on Snowden disclosures came out. – Suggest that Dual EC DRBG has an intentional backdoor put in by NSA, and exploited in the field. 3

  4. What Happened Next? • Put out an ITL bulletin telling everyone to stop using Dual EC • Put 800-90 documents out for comment • Currently removing it from SP 800-90A • 2nd comment period just ended. • Spent a fair bit of time trying to figure out: • What went wrong? • How to keep it from happening again. 4

  5. What Are We Doing Now? • Improving our process for writing standards • Rethinking our relationship with NSA – NIST and NSA have different missions • Hiring more cryptographers • Building more links with academic crypto community • Most important (and hardest to define): Change in "corporate culture" in computer security division. 5

  6. Dual EC History 6

  7. X9.82 and SP 800-90 • NIST and NSA worked together on two different standards for cryptographic random number generation – X9.82 (1998-2007) – SP 800-90 (2005-Present) • Two processes ran in parallel – X9 dragged on for years with little progress – Finally got going around 2003 – Two processes ran in parallel, same authors 7

  8. DRBGs 
 Deterministic Random Bit Generators • Cryptographic random number generators come in two parts: – Unpredictable processes used to generate a seed – Algorithm to generate random bits from seed. • DRBG = Deterministic Random Bit Generator – Algorithm for generating random-looking bits. – Specified in X9.82 Part 3 and SP 800-90A. – Should produce outputs nobody can distinguish from random bits. • In SP 800-90A: – NSA provided two: Hash DRBG*, Dual EC – NIST provided two: CTR DRBG, HMAC DRBG * Design was extensively modified by NIST 8

  9. Dual EC DRBG 
 Dual Elliptic Curve DRBG • DRBG provided by NSA • Security based on number theory problem • Defined for three curves (three security levels) • For each curve, some public parameters (P ,Q) defined as part of DRBG definition. 9

  10. Dual EC DRBG: P and Q • Dual EC DRBG’s definition requires choosing some parameters: (P ,Q) – Elliptic curve points. • It is possible to choose (P ,Q) so that you know a backdoor for the DRBG. – NSA is alleged to have done this. • It is also possible to choose (P ,Q) so that you can prove you don’t know a backdoor. – We have a mechanism to do this in our standards, but it seems never to have been used. 10

  11. Issues with Dual EC DRBG • Bias – Dual EC DRBG has a slight statistical bias – Theoretical weakness when DRBG is used to generate keys. – But it violates our requirements for DRBGs • Possible Backdoor – (P ,Q) may have been generated to allow NSA to know a backdoor. – This would be a practical (and very important) weakness Dual EC DRBG should not have been included in X9.82 or SP 800-90 in current form. 11

  12. What Went Wrong? 12

  13. Dual EC: What Went Wrong? • Dual EC DRBG had security issues that should have kept it out of X9.82 and SP 800-90. – Bias (from not throwing away enough bits) – Possible backdoor in (P ,Q) • Both issues identified during standards development process. • Changes made to the standards failed to adequately address them. 13

  14. Four Issues from our COV Presentation 1. NIST-NSA Relationship • Relied on NSA for expertise we lacked on ECC 2. Insularity of Editing Committee • Ignored or minimized feedback from outside 3. Standards Group Dynamics • Dual EC had a champion on X9.82 editing committee • Wanted existing implementations to comply with standard 4. Recordkeeping and Project Management Issues 14

  15. What Happened Next? 15

  16. Timetable • September-November 2013: • News Reports and Subsequent Concerns over Crypto Standards, September 2013 • Internal Discussion at NIST by NIST Staff and Leadership, Fall 2013 • ITL Bulletin advising public to stop using Dual EC, 800-90 series out for public comment • February 2014: • NIST Publishes Draft IR 7977, Cryptographic Standards and Guidelines Development Process, February 2014 • NIST Director Sends Charge to VCAT to Review Cryptographic Activities, February 2014 • April-July 2014: • VCAT Subcommittee Forms Expert Committee of Visitors (COV), April 2014 • NIST Conducts Series of Briefings to VCAT Subcommittee and COV, May 2014 • COV Submits Individual Reports to VCAT Subcommittee, June 2014 16 • Full VCAT Provide Consensus Recommendation to NIST Director, July 2014.

  17. VCAT Report • NIST management asked VCAT (an advisory committee for NIST) to review what happened. • Convened a panel of subject matter experts to review what went wrong with Dual EC and other NIST standards == COV • We gave presentations and had discussions on our standards, and asked them for feedback. • Result was the VCAT Report, including reports of individual COV members. http://www.nist.gov/public_affairs/releases/upload/VCAT-Report-on- NIST-Cryptographic-Standards-and-Guidelines-Process.pdf

  18. Summary of VCAT Recommendations • Openness and Transparency: – Develop and implement a plan to further increase the involvement of the cryptographic community, including academia and industry… • Independent Strength/Capability: – Strive to increase the number of technical staff… • Clarification of Relationship with NSA: – NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess and reject it when warranted. • Technical Work, Development and Processes: – NIST work openly with the cryptographic community to determine how best to address… the number of specific technical recommendations. 18

  19. What Are We Doing Now? 19

  20. Process Review Overview • The Dual EC disaster led to a rethink of how we manage computer security standards at NIST . • We're working on a number of changes to our procedures. • Some of these might make attacks on us like the one in SP 800-90 harder. • Others will just make us less likely to make mistakes, and will make the documents easier to review. 20

  21. Authorship and NSA • We've had documents where NSA coauthors weren't listed as authors, but instead in the "acknowledgements" section. (SP 800-90A is an example.) • Problem: This makes it difficult for readers of our documents to know whether NSA was involved. • Solution: Future documents will require all coauthors to be listed as coauthors. 21

  22. NSA Contributions to NIST Standards • NSA has contributed to NIST guidelines in several ways: – Coauthoring and commenting on publications – Contributing algorithms, e.g., SHA-1, SHA-2, DSA, AES Key Wrap • NIST will clearly identify any NSA contributions • We will encourage NSA to bring proposed algorithms to conferences and standards organizations – e.g., SIMON, SPECK • NSA-developed algorithms will require public review and analysis to be considered for inclusion in NIST standards/guidelines 22

  23. NIST Standards and Public Comment Periods • FIPS and Special Publications follow a process like: • Draft version is published • 30-90 day public comment period • Comments received in period are addressed somehow by writers of the standard • This is a major way we get feedback on our standards. 23

  24. Comment Resolution • Past: Comments handled differently depending on author preferences. • Future: Comments handled consistently • Public comments will be made public • Every comment will be addressed in public • This came up in reviewing how some comments on 800-90 were addressed. 24

  25. Informal and Anonymous Comments • Informal comments: Often useful feedback comes informally. • Personal conversation • Comment on a mailing list • Private Comments: Public comments are better, but not everyone wants to make a public comment. • Some comments might be under NDA We’re still working out how to capture these and make them more-or-less public 25

  26. Out of Season Comments • Comments sometimes come in about documents that aren't out for public comment. • Errors or bugs • Attacks • Suggestions for future revisions • Right now, it's not so clear where to send such comments. • In the future, we plan to keep comment email addresses open for our documents all the time. Like rbg-comments@nist.gov 26

  27. Recordkeeping • In the past, our project management on documents has been ad-hoc. • Different authors handled things their own way. • It's often quite hard to find old versions of documents, notes, meeting minutes, internal analyses, etc., for old documents. • All this came up in trying to work out what had happened to SP 800-90. 27

  28. Recordkeeping (cont’d) • We're planning to move to a more formal mechanism for managing projects in CSD. • Start a project with security requirements or problem statement • Keep intermediate documents, notes, internal analyses, etc. • Not clear what technology we will use... • ...but email is a lousy project management tool. 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

13.1 Review of Last Lecture Review of primal and dual of SVM. Insights: Dual only depends on

13.1 Review of Last Lecture Review of primal and dual of SVM. Insights: Dual only depends on

CS/CNS/EE 253: Advanced Topics in Machine Learning Topic: Reproducing Kernel Hilbert Spaces Lecturer: Andreas Krause Scribe: Thomas Desautels Date: 2/22/20 13.1 Review of Last Lecture Review of primal and dual of SVM. Insights: Dual only

233 views • 5 slides
SP 800-90C: Random Bit Generator Constructions Elaine Barker NIST May 2, 2016 2 Purpose of

SP 800-90C: Random Bit Generator Constructions Elaine Barker NIST May 2, 2016 2 Purpose of

SP 800-90C: Random Bit Generator Constructions Elaine Barker NIST May 2, 2016 2 Purpose of 800-90C: To construct RBGs from approved entropy sources (see SP 800-90B) and DRBG mechanisms (see SP 800-90A) o DRBGs (a.k.a. pseudorandom number

330 views • 20 slides
NIST Case Study: Dual-Zone Unit for Simultaneous Refrigerated and Frozen Vaccine Storage Michal

NIST Case Study: Dual-Zone Unit for Simultaneous Refrigerated and Frozen Vaccine Storage Michal

NIST Case Study: Dual-Zone Unit for Simultaneous Refrigerated and Frozen Vaccine Storage Michal Chojnacky National Institute of Standards and Technology Sensor Science Division, Temperature and Humidity Group Gaithersburg, MD michalc@nist.gov

211 views • 8 slides
CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE

CRYPTO HERE, CRYPTO THERE, CRYPTO, CRYPTO EVERYWHERE WORLD AQUATIC HEALTH CONFERENCE WILLIAMSBURG, VA THURSDAY, OCTOBER 17 TH , 2019 JOHN KELLY, PE IOWA DEPARTMENT OF PUBLIC HEALTH DISCLAIMER THIS PRESENTATION: IS INTENDED FOR

843 views • 40 slides
What is Dual Credit? CISD partnership with DCCCD Dual credit is a process through which a

What is Dual Credit? CISD partnership with DCCCD Dual credit is a process through which a

What is Dual Credit? CISD partnership with DCCCD Dual credit is a process through which a learner may earn both high school and college credit. DCCCD waives tuition for pre-approved courses See CHS Course Guide for the list of

341 views • 23 slides
SHA-3 From: ! SHA3 where weve been, where were going written by John Kelsey (NIST) for the

SHA-3 From: ! SHA3 where weve been, where were going written by John Kelsey (NIST) for the

SHA-3 From: ! SHA3 where weve been, where were going written by John Kelsey (NIST) for the RSA Conference 2013 Origins Hash functions appeared as an important idea at the dawn of modern public crypto. Many ideas floating around to

879 views • 22 slides
Today Booting Process abstraction Dual mode execution Sept 19, 2018 Sprenkle -

Today Booting Process abstraction Dual mode execution Sept 19, 2018 Sprenkle -

Today Booting Process abstraction Dual mode execution Sept 19, 2018 Sprenkle - CSCI330 1 Course Objectives Review Classical OS Emphasis on the why Agile class Synching with the Project

446 views • 33 slides
7. Dual flows and algorithms Duality review Minimum-cost flow dual Specialized flow

7. Dual flows and algorithms Duality review Minimum-cost flow dual Specialized flow

CS/ECE/ISyE 524 Introduction to Optimization Spring 201718 7. Dual flows and algorithms Duality review Minimum-cost flow dual Specialized flow duals Max-flow problems LP solvers Wrap-up Laurent Lessard

341 views • 30 slides
NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST had awarded larger ESPC ($45M) with 4 ECMs the previous year (June 2015) Non-selected ECM was fixed-tilt, ground-mounted solar array on federal

559 views • 17 slides
Pseudorandom Black Swans Cache Attacks on CTR DRBG Shaanan Cohney 1 , Andrew Kwong 2 , Shahar Paz

Pseudorandom Black Swans Cache Attacks on CTR DRBG Shaanan Cohney 1 , Andrew Kwong 2 , Shahar Paz

Pseudorandom Black Swans Cache Attacks on CTR DRBG Shaanan Cohney 1 , Andrew Kwong 2 , Shahar Paz 3 , Daniel Genkin 2 , Nadia Heninger 4 , Eyal Ronen 5 , Yuval Yarom 6 1 University of Pennsylvania 2 University of Michigan 3 Tel Aviv University 4

727 views • 52 slides
A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process

A new lightweight Crypto Library for supporting an Advanced Grid Authentication Process with Smart Cards Roberto BARBERA (1)(2) , Vincenzo CIASCHINI (3) , Alberto FALZONE (4) , Giuseppe LA ROCCA (1)

456 views • 32 slides
NCTC Dual Credit Registration Process The Basic Nuts & Bolts Contacts Susan

NCTC Dual Credit Registration Process The Basic Nuts & Bolts Contacts Susan

NCTC Dual Credit Registration Process The Basic Nuts & Bolts Contacts Susan Cooper Dual Credit Coordinator Flower Mound scooper@nctc.edu 972-899-8331 Webpage Contacts Kyle Seipp Director of College and Career Readiness

554 views • 43 slides
NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov ICANN Meeting Oct. 15 th , 2014 Los Angeles CA First, A Bit of History 2011 USG DNSSEC Tiger Team has a 2 nd goal: authenticated email

308 views • 4 slides
Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Outline Crypto intro Computer Security: Secret Key Crypto Symmetric crypto Bart Jacobs

Crypto intro Crypto intro Symmetric crypto Symmetric crypto Achieving security goals with symmetric crypto Radboud University Nijmegen Achieving security goals with symmetric crypto Radboud University Nijmegen e-Passport example

269 views • 7 slides
Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert

Entropy as a Service Unlocking the full potential of cryptography Apostol Vassilev Robert Staples STVM/CSD/NIST A perspective: cryptography evolves very fast to provide security in cyberspace Emerging crypto technologies - lightweight crypto

199 views • 17 slides
Quantum non-malleability and authentication Christian Majenz QMATH, University of Copenhagen

Quantum non-malleability and authentication Christian Majenz QMATH, University of Copenhagen

Quantum non-malleability and authentication Christian Majenz QMATH, University of Copenhagen Joint work with Gorjan Alagic, NIST and University of Maryland CRYPTO 2017, UCSB 24.08.2017 Motivation: a classical story... Crypto for bank

1.01k views • 83 slides
Disclosures Advanced Heart Failure I have nothing to disclose Steven Pantilat, MD Professor

Disclosures Advanced Heart Failure I have nothing to disclose Steven Pantilat, MD Professor

12/3/17 Palliative Care in Disclosures Advanced Heart Failure I have nothing to disclose Steven Pantilat, MD Professor of Medicine Kates-Burnard and Hellman Distinguished Professor in Palliative Care Director, Palliative Care Program and

200 views • 6 slides
Wide-field monitoring strategy for the study of fast optical transients S.Karpov, G.Beskin,

Wide-field monitoring strategy for the study of fast optical transients S.Karpov, G.Beskin,

Wide-field monitoring strategy for the study of fast optical transients S.Karpov, G.Beskin, S.Bondar, V.Plokhotnichenko, G.Greco, A.Guarnieri, C.Bartolini, A.Piccioni Presented by G. Greco Deciphering the Ancient Universe with Gamma-Ray

709 views • 37 slides
Changing the structure in implicative algebras Realizabilidad en Uruguay 19 al 23 de Julio 2016

Changing the structure in implicative algebras Realizabilidad en Uruguay 19 al 23 de Julio 2016

Introduction Implicative algebras, changing the implication From abstract Krivine structures to structures of implicative nature OCA s and triposes Changing the structure in implicative algebras Realizabilidad en Uruguay 19 al 23 de Julio

1.38k views • 100 slides
5/11/2011 Two Key Questions Is a patent (claim) valid? Does technology X infringe a

5/11/2011 Two Key Questions Is a patent (claim) valid? Does technology X infringe a

5/11/2011 Two Key Questions Is a patent (claim) valid? Does technology X infringe a particular claim? Substantial overlap between these questions: the test for validity and infringement both start with claim Patent Analysis and

283 views • 3 slides
Fair Termination of Higher-Order Functional Programs Keiichi Watanabe , Ryosuke Sato Takeshi

Fair Termination of Higher-Order Functional Programs Keiichi Watanabe , Ryosuke Sato Takeshi

Automatically Disproving Fair Termination of Higher-Order Functional Programs Keiichi Watanabe , Ryosuke Sato Takeshi Tsukada, Naoki Kobayashi The University of Tokyo September 20 th , 2016 ICFP 2016 at Nara 1 2 Our Goal Automated method for

923 views • 54 slides
Thursday 16 September 2010 1. CASE STUDY A Deathbyhomebrew Ltd manufacture home brewing

Thursday 16 September 2010 1. CASE STUDY A Deathbyhomebrew Ltd manufacture home brewing

Thursday 16 September 2010 1. CASE STUDY A Deathbyhomebrew Ltd manufacture home brewing equipment. The business has been struggling of late following a decline in demand for products and is looking at making 10 redundancies from its

924 views • 10 slides
Housing Summit 2019 Recap income housing creation, assist those ineligible for

Housing Summit 2019 Recap income housing creation, assist those ineligible for

Organized by Mayor Weinberger in July & September 2019 to: Look at chronic housing challenges, progress in since 2012 Bring renewed energy, attention to work of 2015 Housing Action Plan Identify a list of actionable policy changes to

862 views • 27 slides
Arizona Marketing Association Marketing Basics What is Direct Response Marketing? You know the

Arizona Marketing Association Marketing Basics What is Direct Response Marketing? You know the

Arizona Marketing Association Marketing Basics What is Direct Response Marketing? You know the Commandants of Direct Response Marketing, Right? 1.There shalt always be an offer. 2.There shalt be a reason to respond now. 3.There shalt be

802 views • 30 slides

More recommend