lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8k3ZaYbRh-zyD+4GBi-L4uw60NrkfCZcEwauL1YxxwXKA@mail.gmail.com>
Date: Fri, 30 May 2014 18:22:53 -0400
From: Jeffrey Walton <noloader@...il.com>
To: uname -a <sec.list@....net>
Cc: Full Disclosure List <fulldisclosure@...lists.org>
Subject: Re: [FD] TrueCrypt?

On Fri, May 30, 2014 at 4:02 PM, uname -a <sec.list@....net> wrote:
> Really?
> https://blog.0xbadc0de.be/archives/155
>
"note: I did not break the official algorithm. I do not know the
secret value used to compute the Q constant, and thus cannot break the
default implementation. Only NSA (and people with access to the key)
can exploit the PRNG weakness."

The second secret value is what folks are interested in:
http://www.schneier.com/blog/archives/2007/11/the_strange_sto.html and
http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html.

Jeff

> Am 30.05.2014 17:21, schrieb Michael Cramer:
>> On a technicality,
>>
>> There has never been a demonstration of a vulnerability in Dual_EC_DRBG. There are only allegations based on ties to the NSA.
>>
>> -Mike
>>
>> Sent from my iPhone
>>
>>> On May 30, 2014, at 11:09, "Chris Schmidt" <chris.schmidt@...trastsecurity.com> wrote:
>>>
>>> Regarding your final statement here, I seem to recall it being reported a
>>> little company called RSA allowed NSA backdooring and I¹m pretty sure they
>>> are far from Out-Of-Business. Claiming that giants like MS would go out of
>>> business if it got out that they were working with the NSA is completely
>>> naïve.
>>>
>>>> On 5/29/14, 4:13 PM, "Mike Cramer" <mike.cramer@...look.com> wrote:
>>>>
>>>> I think it¹s more important to have rational discussions. This isn¹t the
>>>> first time Microsoft has been Œrumored¹ to have backdoors in Windows for
>>>> the US Government. These rumors have been perpetuated for years. While I
>>>> don¹t know how long you¹ve been in the industry, it¹s something I recall
>>>> even being 14 years old and sitting on IRC and having people discuss.
>>>>
>>>>
>>>>
>>>> The reality now, just as then, is that these are unsubstantiated.
>>>>
>>>>
>>>>
>>>> A more apt description about the cooperation between the US Government
>>>> and Microsoft I think falls back onto our old pals ³Alice and Bob². I¹m
>>>> sure you may recall these names from any sort of discussion about PKI.
>>>>
>>>>
>>>>
>>>> What people seem to forget in all of these discussions is that Microsoft
>>>> is Bob. (Microsoft Bob? :P)
>>>>
>>>>
>>>>
>>>> No amount of encryption, protection, secret keying is going to protect
>>>> you when one party is going to hand over the information to 3rd parties
>>>> to review.
>>>>
>>>>
>>>>
>>>> Based on my Alice and Bob comment above, it¹s reasonable to assume that
>>>> the encryption itself is 100% fine, so as long as you believe that Bob
>>>> will never divulge the information you¹ve disclosed.
>>>>
>>>>
>>>>
>>>> Through all of these discussions surrounding Bitlocker across multiple
>>>> forums nobody has brought up the fact that Bitlocker in Windows 8 allows
>>>> you to store recovery key information in OneDrive/²The Cloud². Why bother
>>>> writing in backdoors to the software when the keys are readily available
>>>> with a warrant?
>>>>
>>>>
>>>>
>>>> There are a million and one ways to get access to the information and the
>>>> absolutely most difficult, most costly, and most potentially damaging is
>>>> the one people are jumping to first.
>>>>
>>>>
>>>>
>>>> If it were ever revealed that Microsoft purposefully weakened its
>>>> encryption systems to allow the NSA access to any Windows device, then it
>>>> would be the end of the organization. They¹re just not that dumb.
>>>>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ