Wednesday, February 26, 2014

Six Cryptographers Whose Work on Dual EC DRBG Were Deemed Without Merit by RSA Chief Art Coviello

"When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech
Three things about Art Coviello's keynote speech today jumped out at me:
  1. He attempted to paint NSA as the sole bad guy in the Dual EC DRBG debacle. 
  2. He carefully avoided any mention of why RSA trusted the NSA in 2004 when the agency wasn't trusted by RSA even five years earlier.
  3. He believed that the published warnings of six independent and respected cryptographers in 2006 and 2007 had no merit.
It's the last bullet point that this blog post is about. I've listed the research papers published in 2006 and 2007 which described the same weakness (aka backdoor) in Dual EC DRBG; the encryption algorithm that the NSA was pushing for RSA to incorporate into its BSAFE product as a default in 2004. This body of work is what Coviello chose to ignore at the time and for another six years until The New York Times broke the story in September 2013; the same body of work that Coviello today was referring to when he said "that concerns raised in 2007 might have merit".

Comments on Dual-EC-DRBG/NIST SP 800-90, Draft December 2005 by Kristian Gjøsteen* (March 16, 2006)
Abstract: "We analyse the Dual-EC deterministic pseudo-random bit generator (DRBG) proposed in draft of NIST SP 800-90 published December 2005. The generator consists of two parts, one that generates a sequence of points and one that extracts a bit string from the point sequence. We show that the first part is essentially cryptographically sound, while the second is not."

*Associate professor at The Norwegian University of Science and Technology, Department of Mathematical Sciences.

Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator
Berry Schoenmakers and Andrey Sidorenko
Dept. of Mathematics and Computer Science, TU Eindhoven,
P.O. Box 513, 5600 MB Eindhoven, The Netherlands.
berry@win.tue.nl, a.sidorenko@tue.nl
29 May 2006

"The Dual Elliptic Curve Pseudorandom Generator (DEC PRG) is proposed by Barker and Kelsey [2].
It is claimed (see Section 10.3.1 of [2]) that the pseudorandom generator is secure unless the adversary can solve the elliptic curve discrete logarithm problem (ECDLP) for the corresponding elliptic curve.
The claim is supported only by an informal discussion. No security reduction is given, that is, it is not shown that an adversary that breaks the pseudorandom generator implies a solver for the ECDLP.
Our experimental results and also empirical argument show that the DEC PRG is insecure. The attack does not imply solving the ECDLP for the corresponding elliptic curve. The attack is very efficient. It can be run on an ordinary PC. Actually, the generator is insecure because pseudorandom bits are extracted from points of the elliptic curve improperly."

On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng by Dan Shumow and Niels Ferguson (Microsoft)

Bruce Schneier "Did NSA Put a Secret Backdoor in New Encryption Standard?" Wired, November 15, 2007.

Art Coviello failed to explain why the work of any of the above researchers didn't merit an investigation into the algorithm which the NSA wanted him to adopt two years earlier. I hope that RSA customers pay attention to Art Coviello's clumsy attempt to whitewash RSA's responsibility in this matter and find other, more trustworthy vendors to take their business to.

Monday, February 17, 2014

Credit Suisse, BAE Systems and a workshop on Cognitive Biases

The new Suits and Spooks website now features an in-depth look at highlights of our upcoming event at Fort Mason in San Francisco including:
  • an early look at the agenda
  • our speakers and topics
  • plus a game-themed workshop on how to identify cognitive biases
Two exceptional panels featuring security executives from Credit Suisse and BAE Systems will discuss industry-specific threats.

Register before March 10th and save $200 off the standard rate. Plus, if you register before March 1st, the Cognitive Biases workshop will be included free of charge.

Tuesday, February 11, 2014

The Way-Back Machine on Mandiant and APT: Not a Who After All

Kaspersky's latest report about The Mask reminded me that Mandiant never did issue a statement re-defining APT as a what and not a who as Richard Bejtlich and I and some other Mandiant executives discussed by phone on February 21, 2013. Now that a year has almost passed without any acknowledgment, I thought it would be fun to go back in time and see how the gospel according to Mandiant on "the APT" used to go:


Here is a wonderfully prophetic quote by Rob Lee from a comment that he left on my Feb 28, 2011 blog post "Is APT a Who or a What?":
In the end, I might end up being one of the original “hackers” from MIT arguing over a term that became something else over time. And that is ok. I do feel that we aren’t there yet and we can still educate when we have a chance.
Rob gets an "A" for his prophetic abilities but an "F" for his past dogmatism.

Then there's Richard Bejtlich who got into more heated arguments over the Who v What categorization than anyone else I know.

The following quote came from a lengthy back and forth debate that Richard had with a commenter on his January 16, 2010 blog post "What is APT and What Does It Want?":


On April 15, 2010 Richard corrected Dan Geer's interpretation of APT from an article that Dan published called "Advanced Persistant Threat". Richard received notice of Dan's article from several people because back then anyone who didn't follow the Mandiant line of "APT is a Who, not a What" was immediately piled on and "educated" (to use Rob Lee's term). Anyway, Dan wrote: "Let us define the term for the purpose of this article as follows: A targeted effort to obtain or change information by means that are difficult to discover, difficult to remove, and difficult to attribute.

Richard, while agreeing with most of Dan's article, couldn't let the word "effort" go un-corrected, and wrote: 
"That describes APT's methodology, but APT is not an effort -- it's a proper noun, i.e., a specific party."
Back in 2010, Richard, Mandiant and other long-time cybersecurity professionals were convinced that cyber crime groups didn't steal intellectual property. They saw the problem in clear-cut, stark terms. Eastern Europeans and Russians stole from banks. Chinese groups stole intellectual property. And all you Gh0stbusters out there better keep those two streams separate. Some of us knew back then that was bullshit and said so but we were a tiny minority.

In "Answering APT Misconceptions", Richard writes:
"Unfortunately, there's plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening."
 "Myth 2. APT is "not new." Reality: APT is only new to people who have not been involved with the problem. If you look solely at offender and motive, and exclude defender, means, and opportunity, you're likely to think APT is not new; you'd be wrong. Just performing an Attribution Using 20 Characteristics exercise helps demonstrate that APT is not like organized crime or other structured attackers."

It's OK to be wrong.

I'm not hammering Rob Lee and Richard Bejtlich because they were wrong about how they defined APT. I've been wrong more times than I've been right, just like I've failed more times than I've succeeded. There's nothing wrong with being wrong assuming that you weren't behaving maliciously. 

The lesson to take from this is to not be dogmatic about what an elephant looks like when you can't see the entire elephant. We do that all too often as an industry. And when the time has come (and past) that you've been proven wrong, it doesn't hurt to acknowledge that fact to those people who you deemed "not capable of understanding" your own flawed view of the world.

Monday, February 3, 2014

Resolved, that Privacy is a benefit of and dependent upon a strong National Security Apparatus. For or Against?

Join The Debate: Feb 27th
The Suits and Spooks Security Town Hall on Feb 27th is shaping up to become an amazing event thanks to so many exceptional people who have agreed to be panelists. The debate will be moderated by Ted Schlein, who will also present closing remarks and Ajay Royan will open the evening with his unique take on the subject matter.

Complete information along with speaker bios is available at the all-new Suits and Spooks website. We're already 50% sold out so act soon if you want to be a part of this exciting evening. All of the ticket sales will go to one of four charitable foundations so I'm still looking for companies who'd like to join Taia Global, Silent Circle, and Mithril as sponsors.

Register with this link or call toll-free 855-777-8242


Select Your Foundation