DSA key sizes

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Nov 10 20:25:12 CET 2014


On 11/10/2014 08:31 AM, Robert J. Hansen wrote:

> What Nan means to be talking about is the Dual Elliptical Curve
> Deterministic Random Bit Generator (Dual_EC_DRBG) specification -- a way
> of generating random numbers, but *not* a signature algorithm.  It was
> released in 2004 to a great yawn: it was inefficient, slow, and the
> parameters gave some people the heebie-jeebies.  In 2007, Shumow and
> Ferguson presented at CRYPTO some results that made this design look
> like it might be backdoored.
> 
> An algorithm that nobody used in the first place ... remained an
> algorithm that nobody used in the first place.

Nobody may have used Dual_EC_DRBG "in the first place" (since of course
it didn't exist before it was proposed), but that doesn't mean that
nobody used it.

Despite its terrible performance, RSA's BSAFE library used Dual_EC_DRBG
as the default CSPRNG for 9 years (most of them well after Shumow and
Ferguson's results), removing it only in 2013 when forced to by leaked
documents confirming the backdoor:

https://en.wikipedia.org/wiki/RSA_BSAFE#Dual_EC_DRBG_backdoor

http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141110/83e47df0/attachment.sig>


More information about the Gnupg-users mailing list