SHA-256 has no backdoors =/= Bitcoin has no backdoors

[Littleshop]

double sha2 is weaker then sha2 in some aspects.

im not sure that anyone have ever proven that sha2 hits its whole 'probability' space(2^256), if doesn't do that it will be loosing entropy by repeated applications.

more data in(a big fat block of data), means more random out. less data in(a single 256-bit sha2 hash), means less random out.

So a single key can be cracked in 1,000,000 years using every atom on the planet for energy instead of in 1,000,000,000 years using every atom in the solar system? 

[1715215063]

1715215063

[1715215063]

1715215063

[1715215063]

1715215063

[1715215063]

1715215063

[Come-from-Beyond]

Now you've gone full retard...

Hehe, sarcasm doesn't work without <sarcasm> tag.

[kokjo]

double sha2 is weaker then sha2 in some aspects.

im not sure that anyone have ever proven that sha2 hits its whole 'probability' space(2^256), if doesn't do that it will be loosing entropy by repeated applications.

more data in(a big fat block of data), means more random out. less data in(a single 256-bit sha2 hash), means less random out.

So a single key can be cracked in 1,000,000 years using every atom on the planet for energy instead of in 1,000,000,000 years using every atom in the solar system? 

sort of, yes.

[AndrewWilliams]

Time to shut up, listen, and learn. School is in session.


One of two articles, the first showing how NSA puts backdoors in encryption.

Did NSA Put a Secret Backdoor in New Encryption Standard?

By Bruce Schneier
Wired News
November 15, 2007

Link: https://www.schneier.com/essay-198.html

Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes an algorithm that is slow, badly designed and just might contain a backdoor for the National Security Agency.

Generating random numbers isn't easy, and researchers have discovered lots of problems and attacks over the years. A recent paper found a flaw in the Windows 2000 random-number generator. Another paper found flaws in the Linux random-number generator. Back in 1996, an early version of SSL was broken because of flaws in its random-number generator. With John Kelsey and Niels Ferguson in 1999, I co-authored Yarrow, a random-number generator based on our own cryptanalysis work. I improved this design four years later -- and renamed it Fortuna -- in the book Practical Cryptography, which I co-authored with Ferguson.

The U.S. government released a new official standard for random-number generators this year, and it will likely be followed by software and hardware developers around the world. Called NIST Special Publication 800-90 (.pdf), the 130-page document contains four different approved techniques, called DRBGs, or "Deterministic Random Bit Generators." All four are based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. It's smart cryptographic design to use only a few well-trusted cryptographic primitives, so building a random-number generator out of existing parts is a good thing.

But one of those generators -- the one based on elliptic curves -- is not like the others. Called Dual_EC_DRBG, not only is it a mouthful to say, it's also three orders of magnitude slower than its peers. It's in the standard only because it's been championed by the NSA, which first proposed it years ago in a related standardization project at the American National Standards Institute.

The NSA has always been intimately involved in U.S. cryptography standards -- it is, after all, expert in making and breaking secret codes. So the agency's participation in the NIST (the U.S. Commerce Department's National Institute of Standards and Technology) standard is not sinister in itself. It's only when you look under the hood at the NSA's contribution that questions arise.

Problems with Dual_EC_DRBG were first described in early 2006. The math is complicated, but the general point is that the random numbers it produces have a small bias. The problem isn't large enough to make the algorithm unusable -- and Appendix E of the NIST standard describes an optional work-around to avoid the issue -- but it's cause for concern. Cryptographers are a conservative bunch: We don't like to use algorithms that have even a whiff of a problem.

But today there's an even bigger stink brewing around Dual_EC_DRBG. In an informal presentation (.pdf) at the CRYPTO 2007 conference in August, Dan Shumow and Niels Ferguson showed that the algorithm contains a weakness that can only be described as a backdoor.

This is how it works: There are a bunch of constants -- fixed numbers -- in the standard used to define the algorithm's elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.

What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.

The researchers don't know what the secret numbers are. But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem.

Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does.

We don't know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there's no way for NIST -- or anyone else -- to prove otherwise.

This is scary stuff indeed.

Even if no one knows the secret numbers, the fact that the backdoor is present makes Dual_EC_DRBG very fragile. If someone were to solve just one instance of the algorithm's elliptic-curve problem, he would effectively have the keys to the kingdom. He could then use it for whatever nefarious purpose he wanted. Or he could publish his result, and render every implementation of the random-number generator completely insecure.

It's possible to implement Dual_EC_DRBG in such a way as to protect it against this backdoor, by generating new constants with another secure random-number generator and then publishing the seed. This method is even in the NIST document, in Appendix A. But the procedure is optional, and my guess is that most implementations of the Dual_EC_DRBG won't bother.

If this story leaves you confused, join the club. I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.

My recommendation, if you're in need of a random-number generator, is not to use Dual_EC_DRBG under any circumstances. If you have to use something in SP 800-90, use CTR_DRBG or Hash_DRBG.

In the meantime, both NIST and the NSA have some explaining to do.

Second article.

Yall outa know by now, NSA will NOT let any cryptography be released that THEY are not going to be able to plant a backdoor in. The nation's security is too important to leave anything to chance.

New York Times provides new details about NSA backdoor in crypto spec
The paper points a finger definitively at the long-suspected Dual_EC_DRBG algorithm.

by Megan Geuss - Sep 11, 2013 3:00 am UTC
Link: http://arstechnica.com/security/2013/09/new-york-times-provides-new-details-about-nsa-backdoor-in-crypto-spec/

Today, the New York Times reported that an algorithm for generating random numbers, which was adopted in 2006 by the National Institute of Standards and Technology (NIST), contains a backdoor for the NSA. The news followed a NYT report from last week, which indicated that the National Security Agency (NSA) had circumvented widely used (but then-unnamed) encryption schemes by placing backdoors in the standards that are used to implement the encryption.

In 2007, cryptographers Niels Ferguson and Dan Shumow presented research suggesting that there could be a potential backdoor in the Dual_EC_DRBG algorithm, which NIST had included in Special Publication 800-90. If the parameters used to define the algorithm were chosen in a particular way, they would allow the NSA to predict the supposedly random numbers produced by the algorithm. It wasn't entirely clear at the time that the NSA had picked the parameters in this way; as Ars noted last week, the rationale for choosing the particular Dual_EC_DRBG parameters in SP 800-90 was never actually stated.

Today, the NYT says that internal memos leaked by Edward Snowden confirm that the NSA generated the Dual_EC_DRBG algorithm. Publicly, however, the agency's role in development was significantly underbilled: “In publishing the standard, NIST acknowledged 'contributions' from NSA, but not primary authorship,” wrote the NYT. From there, the NSA pushed the International Organization for Standardization to adopt the algorithm, calling it “a challenge in finesse” to convince the organization's leadership.

“Eventually, NSA became the sole editor” of the international standard, according to one classified memo seen by the NYT.

The details come just as NIST released a promise to reopen the public vetting process for SP 800-90. “We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place,” a memo from the Institute read. “NIST would not deliberately weaken a cryptographic standard. We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the US government and industry at large.”

Still, NIST asserted that its purpose was to protect the federal government first: “NIST’s mandate is to develop standards and guidelines to protect federal information and information systems. Because of the high degree of confidence in NIST standards, many private industry groups also voluntarily adopt these standards.”

Class is dismissed.

[Come-from-Beyond]

Interesting articles, thank you.

[phillipsjk]

Time to shut up, listen, and learn. School is in session.


One of two articles, the first showing how NSA puts backdoors in encryption.

Did NSA Put a Secret Backdoor in New Encryption Standard?

By Bruce Schneier
Wired News
November 15, 2007

Link: https://www.schneier.com/essay-198.html

Second article.

Yall outa know by now, NSA will NOT let any cryptography be released that THEY are not going to be able to plant a backdoor in. The nation's security is too important to leave anything to chance.

New York Times provides new details about NSA backdoor in crypto spec
The paper points a finger definitively at the long-suspected Dual_EC_DRBG algorithm.

by Megan Geuss - Sep 11, 2013 3:00 am UTC
Link: http://arstechnica.com/security/2013/09/new-york-times-provides-new-details-about-nsa-backdoor-in-crypto-spec/

Class is dismissed.

The NSA has to allow secure algorithms to secure their own data. They use AES (possibly with a different key schedule) and SHA-256 AFAIK.

What these revelations mean is that you have to do you homework before using cryptography. Something most users are not going to be able to do. As a result, they will be vulnerable to degradation attacks whereby host are tricked into using weak algorithms. These revelation mean the NSA has been making it easier to choose weak algorithms.

For example, I recently disabled password authentication so that I can securely access my computer remotely (Using RSA-based public key authentication). In the sshd_config file, I also disabled version 1 of the protocol, MD5 hashing, as well as 3DES and arcfour (RC4) encryption. This means that my computer will refuse to negotiate a connection using those weaker protocols.

[Jace]

Yall outa know by now, NSA will NOT let any cryptography be released that THEY are not going to be able to plant a backdoor in. The nation's security is too important to leave anything to chance.

You seem to imply that the NSA is in charge about what cryptography algorithms people can create and distribute as open source (i.e. release) worldwide?

And "the nation", what nation? Cryptography is not limited to any country's borders.

[Come-from-Beyond]

The NSA has to allow secure algorithms to secure their own data. They use AES (possibly with a different key schedule) and SHA-256 AFAIK.

I "use" a house with a backdoor and don't worry. Because I'm the only one who can open that backdoor.

[AndrewWilliams]

Yall outa know by now, NSA will NOT let any cryptography be released that THEY are not going to be able to plant a backdoor in. The nation's security is too important to leave anything to chance.

You seem to imply that the NSA is in charge about what cryptography algorithms people can create and distribute as open source (i.e. release) worldwide?

And "the nation", what nation? Cryptography is not limited to any country's borders.

Cryptography is heavily regulated by the US government. You may not export or import cryptography without their approval.
This has to do with a very specialized section of US and international law.


Open source is interesting. I would not be surprised if successful opensource cryptography projects are bought out by the US govt regularly, to prevent them from being released to the public.

Truecrypt long thought to be open source, is not really open source. Other then TC, I can not think of an opensource crypto software that is popular. If 95+% of the population is using "approved" cryptography with backdoors in it, i should basically suit the US govts needs

[kokjo]

Cryptography is heavily regulated by the US government. You may not export or import cryptography without their approval.
This has to do with a very specialized section of US and international law.

Cool! So there is a law! Do you have a number on how many times it has been broken?

[balanghai]

if there is, how fast could they break in?

[Jace]

Yall outa know by now, NSA will NOT let any cryptography be released that THEY are not going to be able to plant a backdoor in. The nation's security is too important to leave anything to chance.

You seem to imply that the NSA is in charge about what cryptography algorithms people can create and distribute as open source (i.e. release) worldwide?

And "the nation", what nation? Cryptography is not limited to any country's borders.

Cryptography is heavily regulated by the US government. You may not export or import cryptography without their approval.

What do you mean, "export or import cryptography". We're talking about digital, abstract, virtual stuff here. Their approval does simply not apply. This stuff is online and worldwide, "out there in the cloud", not local or bound to any country or region.

This has to do with a very specialized section of US and international law.

Oh, the US? Well, the world doesn't care what the US thinks. Iran and North Korea also has "very specialized laws" against all sorts of online endeavours. Do you even care?

Open source is interesting. I would not be surprised if successful opensource cryptography projects are bought out by the US govt regularly, to prevent them from being released to the public.

Get a grip man. Open source projects are bought by the US govt? (not the Chinese or Russian govt? You sure?) From whom, exactly? How is that to prevent the world from continuing to freely share these involved sources and ideas?

You're way too US-minded. I guess you're a US citizen yourself, so you may have a twisted perspective, but the world doesn't care that much about the US. Really.

Truecrypt long thought to be open source, is not really open source.

What do you call this?

[AndrewWilliams]

Yall outa know by now, NSA will NOT let any cryptography be released that THEY are not going to be able to plant a backdoor in. The nation's security is too important to leave anything to chance.

You seem to imply that the NSA is in charge about what cryptography algorithms people can create and distribute as open source (i.e. release) worldwide?

And "the nation", what nation? Cryptography is not limited to any country's borders.

Cryptography is heavily regulated by the US government. You may not export or import cryptography without their approval.

What do you mean, "export or import cryptography". We're talking about digital, abstract, virtual stuff here. Their approval does simply not apply. This stuff is online and worldwide, "out there in the cloud", not local or bound to any country or region.

This has to do with a very specialized section of US and international law.

Oh, the US? Well, the world doesn't care what the US thinks. Iran and North Korea also has "very specialized laws" against all sorts of online endeavours. Do you even care?

Open source is interesting. I would not be surprised if successful opensource cryptography projects are bought out by the US govt regularly, to prevent them from being released to the public.

Get a grip man. Open source projects are bought by the US govt? (not the Chinese or Russian govt? You sure?) From whom, exactly? How is that to prevent the world from continuing to freely share these involved sources and ideas?

You're way too US-minded. I guess you're a US citizen yourself, so you may have a twisted perspective, but the world doesn't care that much about the US. Really.

Truecrypt long thought to be open source, is not really open source.

What do you call this?

I will address your questions in order of stupidity:



Is TrueCrypt "Open Source"?
Review by kwamehagan about TrueCrypt Jul 2013
http://alternativeto.net/discussions/applications/10846/is-truecrypt-open-source-/

No.

TrueCrypt has not been approved under the Open Source Initiative. This is due to not following The Open Source Definition for software.

It is also using a custom licence which has been vetted and mandated as non open-source.

    Fedora: Forbidden Items - TrueCrypt

        The TrueCrypt software is under a poor license, which is not only non-free, but has the potential to be actively dangerous to end users or distributors who agree to it, opening them to possible legal action even if they abide by all of the licensing terms, depending on the intent of the upstream copyright holder.

This is why TrueCrypt does not have the status: "Open Source".
(N.B. Wikipedia's status on TrueCrypt is just "source-available")



What do you mean, "export or import cryptography". We're talking about digital, abstract, virtual stuff here. Their approval does simply not apply. This stuff is online and worldwide, "out there in the cloud", not local or bound to any country or region.


From Wikipedia: https://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_States

The export of cryptography in the United States is the transfer from the United States to another country of devices and technology related to cryptography.

Since World War II, many governments, including the U.S. and its NATO allies, have regulated the export of cryptography for national security considerations, and, as late as 1992, cryptography was on the U.S. Munitions List as an Auxiliary Military Technology.[1]

In light of the enormous impact of cryptanalysis in World War II, it was abundantly clear to these governments that denying current and potential enemies access to cryptographic systems looked to be militarily valuable. They also wished to monitor the diplomatic communications of other nations, including the many new nations that were emerging in the post-colonial period and whose position on Cold War issues was regarded as vital.[2]

Since the U.S. and U.K. had, they believed, developed more advanced cryptographic capabilities than others, the intelligence agencies in these countries had a notion that controlling all dissemination of the more effective crypto techniques might be beneficial.

The First Amendment made controlling all use of cryptography inside the U.S. difficult, but controlling access to U.S. developments by others was thought to be more practical — there were at least no constitutional impediments.





FreeSwan Project
From: http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/exportlaws.html


Many nations restrict the export of cryptography and some restrict its use by their citizens or others within their borders.

US laws, as currently interpreted by the US government, forbid export of most cryptographic software from the US in machine-readable form without government permission. In general, the restrictions apply even if the software is widely-disseminated or public-domain and even if it came from outside the US originally. Cryptography is legally a munition and export is tightly controlled under the EAR Export Administration Regulations.

[ijphlrnxewho]

Well, I'm sure the general public trust the super nerds right now with Bitcoins.




Free Gift from his majesty the King Cuong V Truong
SECRET: This is how a bitcoin mining pool makes big money
https://bitcointalk.org/index.php?topic=296256.0

[phillipsjk]

FreeSwan Project
From: http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/exportlaws.html


Many nations restrict the export of cryptography and some restrict its use by their citizens or others within their borders.

If you look at the page info, you will see that page has not been updated since the year 2000. This also happened around that time:
Apple PowerMac G4 Commercial - Super Computer (Tanks)
They raised the limit to 500Gflops, which caught the PS3 personal computer entertainment system before dropping that law.

While the restrictions you mention were in place: Cyrptography development moved outside the United States. I remember having to be careful to download the non-US versions of Debian since it was illegal to re-export strong cryptography. It appears what happened is that the powers-that-be decided exporting cryptography would be allowed. The catch is that now standards developed in the US are suspect.

PS: this thread now has 3 people from my (exclusive) ignore list participating in it. Maybe I should stop commenting.