DSA key sizes

Robert J. Hansen rjh at sixdemonbag.org
Mon Nov 10 20:36:01 CET 2014

> Nobody may have used Dual_EC_DRBG "in the first place" (since of
> course it didn't exist before it was proposed), but that doesn't
> mean that nobody used it.

"in the first place" meaning "since it was proposed in 2004".

> Despite its terrible performance, RSA's BSAFE library used
> Dual_EC_DRBG as the default CSPRNG for 9 years (most of them well
> after Shumow and Ferguson's results), removing it only in 2013 when
> forced to by leaked documents confirming the backdoor:

Yes, but strangely, despite the fact OpenSSL's Dual_EC_DRBG support
never worked outside of the test harness, nobody ever filed a ticket
against OpenSSL demanding Dual_EC_DRBG be fixed.

BSAFE may have used it by default (much to RSA's shame, and they deserve
to spend a long, long time living it down), but BSAFE isn't anywhere
near as big of a player in the market as OpenSSL is.  The two biggest
players in that area are Microsoft, which supported it but not by
default, and OpenSSL.

But I agree, saying that "nobody used it" was going a little far.  I
think it's accurate to say very few people used it.

More information about the Gnupg-users mailing list