http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 Comments & Reviews of http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 on StumbleUpon en-us Sat, 06 Sep 2008 16:57:08 -0700 Sat, 09 Aug 2008 06:49:44 -0700 http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 http://cdn.stumble-upon.com/images/logo_su_36x36.png Sun, 13 Jan 2008 20:08:15 -0800 http://shiitake.stumbleupon.com/review/16172882/ Shiitake - From Bruce Schneier, noted expert on encryption. Who has the keys to the backdoor in Microsoft Windows Vista? From the page: "Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG [encryption]. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does. We don't know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there's no way for NIST -- or anyone else -- to prove otherwise."]]> http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 Fri, 23 Nov 2007 21:52:43 -0800 http://username2000.stumbleupon.com/review/14601829/ Username2000 - From the page: "Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency."]]> http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 Fri, 16 Nov 2007 03:00:46 -0800 http://avangionq.stumbleupon.com/review/14371824/ AvangionQ - If this is true and some hacker figures it out, the NSA is going to experience some blowback over it ... that said and on a more personal note, I like to keep speculation to a minimum and focus on what can be proven ...]]> http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 Fri, 16 Nov 2007 02:32:14 -0800 http://needsmorecoffee.stumbleupon.com/review/14371436/ NeedsMoreCoffee - From the page: "What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG. The researchers don't know what the secret numbers are. But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem. Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does. We don't know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there's no way for NIST -- or anyone else -- to prove otherwise."]]> http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 Thu, 15 Nov 2007 13:54:19 -0800 http://barrelhead.stumbleupon.com/review/14355451/ barrelhead - Commentary by Bruce Schneier]]> http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 Thu, 15 Nov 2007 12:20:15 -0800 http://leonz.stumbleupon.com/review/14352973/ LeonZ - Who would have expected something like that from NIST and NSA. Har...]]> http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 Thu, 15 Nov 2007 10:54:57 -0800 http://msaleem-stumbl.stumbleupon.com/review/14350866/ msaleem-stumbl - Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.]]> http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 Thu, 15 Nov 2007 05:54:50 -0800 http://leonardodavinci.stumbleupon.com/review/14343898/ LeonardoDaVinci - So what's all the hoo-dee-dah about random numbers, other the obvious ones mentioned here? This: that there's really no such thing as a "truly" random number.]]> http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 Thu, 15 Nov 2007 04:30:47 -0800 http://moookid.stumbleupon.com/review/14342461/ moookid - From the page: "you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG. The researchers don't know what the secret numbers are. But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem. Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does."]]> http://www.stumbleupon.com/url/www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115