9 Sep
2013
9 Sep
'13
10:18 a.m.
Does any one have any opiniated and /or useful thoughts on the Snowden
leak stating/claiming/suggesting hat NSA has injected their own code
into a bunch of SSL implementations?
Or are we not allowed to talk about that. ;-)
If it is as suggested, by limiting the random number generator to not
be so random, it has big similarities with what was discovered in the
Debian Linux distribution some time ago and got a fair amount of
(bad) press at the time.
Based on that, one would expect security organisations to scan a huge
amount of generated keys for "randomness". Or am I missing something
here? Sure, the NSA are clever, but are tehy more clever than the collective of
all security geeks and expert all over the world? Or is this a US only
insertion? They do have quite some funny laws with regards to
export of security implementations in the US...
Cheers,
__
/ony
9 Sep
9 Sep
10:32 a.m.
OK, I stand corrected (i little bit). From the New York I read
the following at
http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.htm…
-------
Cryptographers have long suspected that the
agency planted vulnerabilities in a standard adopted in 2006 by the
National Institute of Standards and Technology and later by the
International Organization for Standardization, which has 163
countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness,
discovered by two Microsoft cryptographers in 2007, was engineered by
the agency. The N.S.A. wrote the standard and aggressively pushed it
on the international group, privately calling the effort “a challenge
in finesse.”
“Eventually, N.S.A. became the sole editor,” the memo says.
-----
Cheers,
__
/ony
-------
Monday, September 9, 2013, 11:18:00 AM, BitFolkList wrote:
Does any one have any opiniated and /or useful
thoughts on the Snowden
leak stating/claiming/suggesting hat NSA has injected their own code
into a bunch of SSL implementations?
Or are we not allowed to talk about that. ;-)
If it is as suggested, by limiting the random number generator to not
be so random, it has big similarities with what was discovered in the
Debian Linux distribution some time ago and got a fair amount of
(bad) press at the time.
Based on that, one would expect security organisations
to scan a huge
amount of generated keys for "randomness". Or am I missing something
here? Sure, the NSA are clever, but are tehy more clever than the collective of
all security geeks and expert all over the world? Or is this a US only
insertion? They do have quite some funny laws with regards to
export of security implementations in the US...
Cheers,
__
/ony
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
4121
days inactive
4121
days old
1 comments
2 participants
participants (2)
-
BitFolkList@tony-andersson.com -
Tony Andersson