[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJVRA1RW0DJR6rqWHoiH1hi6gbTwEjbZkxVSV9pBKsVULuyWoA@mail.gmail.com>
Date: Sun, 29 Dec 2013 02:19:23 -0800
From: coderman <coderman@...il.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
cpunks <cypherpunks@...nks.org>
Subject: 30c3: The Year in Crypto default engines loaded
in openssl-1.x through openssl-1.0.1e]
in 30c3: The Year in Crypto
with djb, Nadia Heninger, Tanja Lange
http://www.youtube.com/watch?v=Fty107Us7oc
at ~28min discussion of RDRAND,
Intel's pass the buck to NIST no-comment,
(after initial "just trust us, we looked at a lab sample close"
didn't fly far enough...)
alt slides: hyperelliptic.org/tanja/vortraege/talk-30C3.pdf
also, Tor 0.2.4.20 (Mon Dec 23 07:21:35 UTC 2013)
updates to avoid direct RDRAND use in specific circumstances:
https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html
per previous discussion on OpenSSL use of RDRAND directly when engines on.[0]
TL; DR - very rare case you may want to re-gen relay and hidden service keys
now,,
you may wonder if IETF could apply resistance to NSA seducing of NIST,
but you'd be stepping into a quagmire :P
http://arstechnica.com/security/2013/12/critics-nsa-agent-co-chairing-key-crypto-standards-body-should-be-removed/
http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
[specifically, all of Dan Harkins "appeals for legitimacy" bear
striking resemblance to other demonstratively failed approaches to
failure by default designs. Dragonfly is not sufficiently justified.
insert pleas to appeal to decency and step away from CFRG and IETF
authority roles for propriety sake, regardless of any reasonable
claims or other implications best exemplified by RSA[1]]
also,,
SIMON and SPECK is lulz; no really: fuck those guys!
and remember that AES GCM is a choice between:
- user-land side channels galore /or/
- hardware instruction back-door
.
.
2013 was indeed a year for crypto
let's not do this again soon?
best regards,
0. "BADRAND and testing OpenSSL engines enabled behavior with direct
RDRAND engine"
https://peertech.org/goodrand
BADRAND lets you link a test version of your application or library
against OpenSSL 1.0.1e that uses a specific sequence of deterministic
"random numbers" in OpenSSL. e.g. standard C lib function rand()
seeded at zero replacing RDRAND. the debug logging to stderr can
identify bad fork() assumptions.
1. Dual-EC-DRBG is bad and RSA should feel bad. No excuses.
https://gist.github.com/0xabad1dea/8101758
IETF standards not a good reference for "formal proof" level thoroughness,
and highly deployed does not mean highly used nor scrutinized (WEP,
LEAP, OpenSSL's Dual_EC_DRBG implementation, [the set is large])
X. "see that one top post ..." [was: RDRAND used directly when...
On Sat, Dec 14, 2013 at 4:33 AM, coderman <coderman@...il.com> wrote:
> as per the FreeBSD announcement[0] and others[1][2] direct use of
> RDRAND as sole entropy source is not recommended...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists