take two curves and call me in the morning: the story of the nsas dual_ec_drbg and its implications...
DESCRIPTION
Over the last several months a staggering series of revelations have been reported about the wide-reaching efforts of the United States National Security Agency (NSA) to intercept digital communications. Though not surprising to learn the NSA—an intelligence organization—is spying on global targets, the apparent scale and sophistication of their capabilities have been turning heads internationally. Last September, troubling allegations emerged suggesting the NSA influenced the National Institute of Standards and Technology (NIST) into standardizing a cryptographic primitive with a secret backdoor. If true, the backdoor would provide the NSA with a major advantage in its efforts to snoop communications through something known as the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). Although the ensuing backlash has seen the offending code yanked from most major security products, surprising details about the program continue to emerge. In this talk we will explain why random bits are crucial to online privacy, and what you could potentially do to people whose "random" bits you can predict. We will talk about Dual_EC_DRBG, and explain how the backdoor works in general terms. Finally, we will discuss some of the implications of state-level adversaries to health privacy and offer some high-level directions for healthcare providers to pursue.TRANSCRIPT
Take Two Curves and Call Me in the Morning: !
The Story of the NSA’s Dual_EC_DRBG and its Implications to Health Privacy
Aleksander Essex, Ph.D Assistant professor, Western Engineering
Feb. 13th, 2014 !
Talk outline 1. Emergence of the state-level cyber threats
2. Background on Dual_EC_DRBG
3. The backdoor
4. The backlash
5. Lessons for health privacy
Emergence of state-level cyber threats
A new world • Early 2013: Edward Snowden begins working
with reporters
• June 2013: First reports published in media of mass surveillance program by NSA
• December 2013: Only 1% of documents published….
State-level adversaries
Mass Surveillance • Surveillance of communication networks
• PRISM, ECHELON, etc
• Data vs. metadata
State-level adversaries
http://electrospaces.blogspot.ca/p/nicknames-and-codewords.htmlhttp://icons.iconarchive.com/icons/icons-land/vista-hardware-devices/128/Portable-Computer-icon.png
ANT Catalogue • Attacks end-points
• Exploits for major software, hardware, firmware • Examples: DROPOUTJEEP, IRATEMONK, IRONCHEF, DEITYBOUNCE
State-level adversaries
http://electrospaces.blogspot.ca/p/nicknames-and-codewords.htmlhttp://icons.iconarchive.com/icons/icons-land/vista-hardware-devices/128/Portable-Computer-icon.png
State-level adversaries
http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/
Hijacking Standards • Public attempt to backdoor crypto in 90’s
(clipper chip)
• Secretly backdooring crypto standards a new attack vector
State-level adversaries
http://findicons.com/icon/15313/users_2?id=403108
Public
Background on Dual_EC_DRBG
Background • Random numbers important to cryptographic
protocols
• Used for generating keys, nonces, initialization vectors, etc.
• Deterministic random bit generators (DRBG) generate random-looking bits based on algorithm
Dual_EC_DRBG Background
Background • NIST Special Publications: effort to
standardize DRGB and entropy sources
• Used for FIPS validation. Required to sell security products to gov’t clients
• NIST SP 800-90A specified four DRBGs based on different primitives: block ciphers, HMACs, hashes, and elliptic curves
Dual_EC_DRBG Background
Elliptic curves
Dual_EC_DRBG Background
Elliptic curves • Points P, Q: points on the curve
• Point operations: a number times a point equals another point, P = nQ
• Discrete log problem: • Easy to compute P=nQ given n,Q
• Hard to compute n given P,Q
Dual_EC_DRBG Background
DUAL_EC_DRBG
Dual_EC_DRBG Background
a
b
c
. . .
f(aP)
f(bP)
f(cP)
a’
b’
c’
. . .
f(aQ)
f(bQ)
f(cQ)
DUAL_EC_DRBG
Dual_EC_DRBG Background
a
b
c
. . .
f(aP)
f(bP)
f(cP)
a’
b’
c’
. . .
f(aQ)
f(bQ)
f(cQ)
• Internal state: a,b,c…Updated using P
• Output bits: a’,b’,c’…Updated using Q
DUAL_EC_DRBG
Dual_EC_DRBG Background
a
b
c
. . .
f(aP)
f(bP)
f(cP)
a’
b’
c’
. . .
f(aQ)
f(bQ)
f(cQ)
• MUST HAVE property: can’t predict predict next output from previous output
DUAL_EC_DRBG
Dual_EC_DRBG Background
a
b
c
. . .
f(aP)
f(bP)
f(cP)
a’
b’
c’
. . .
f(aQ)
f(bQ)
f(cQ)
• MUST HAVE property: can’t predict predict next output from previous output
• You COULD if you knew the internal state…
The backdoor
The backdoor • Recall P,Q are points on the curve
• That means there is a number n such that P=nQ
The backdroor
The backdoor
The backdroor
a
b
c
. . .
f(aP)
f(bP)
f(cP)
a’
b’
c’
. . .
f(aQ)
f(bQ)
f(cQ)
• Attack: recover internal state
• Use magic number n: n*(aQ) = a*(nQ) = aP
• With aP, can compute b’, c’, … all future values
TLS: we all use it every day
The backdroor
Dual_EC_DRBG
Nonce
Nonce
TLS “ClientHello”
Dual_EC_DRBG
premaster secret
TLS ClientKeyExchange
Encpk(premaster secret)
Sees Dual_EC_DRBG output Computes internal state
Use internal state to compute next output (i.e., premaster secret and hence encryption keys)
The backdoor • If P,Q generated randomly, DUAL_EC_DRBG
is secure. If P chosen as P=nQ, a backdoor exists
• Who generated P,Q in SP 800-90A? NIST?
• No. Rather NSA, it would seem
The backdroor
The backlash
NIST’s initial response
The backlash
There has been some confusion about the standards development process and the role of different organizations in it. NIST’s mandate is to develop standards and guidelines to protect federal information and information systems. Because of the high degree of confidence in NIST standards, many private industry groups also voluntarily adopt these standards. !!
http://www.nist.gov/director/cybersecuritystatement-091013.cfm
Then…
The backlash
http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf
“ NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, … no longer be used.
Who implemented it?
The backlash
http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html
Who implemented it?
The backlash
http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html
Who implemented it?
The backlash
http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html
!
• These companies received FIPS validation for Dual_EC_DRBG implementations
• Does not mean Dual_EC_DRBG enabled by default, used, or even compiled in respective products
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
Was it anyone’s default?
• Yes. NSA paid RSA $10M to make Dual_EC_DRBG the default in their BSAFE security suite
Backlash • Dual_EC_DRBG pulled by NIST (for now)
• Code yanked from most products
• Researchers boycotting upcoming RSA conference
• Long term credibility issues for NIST
The backlash
Implications • Only those with knowledge of P=nQ
relationship can exploit this (i.e., NSA)
• CSEC played a role in this story
The backlash
Lessons for health privacy
Lesson 1: It takes a scandal • 2004: Certicom knew this could happen.
Filed a patent to generate P,Q randomly (see USP 8,396,213)
• 2005: NIST knew this could happen (according to John Kelsey in late 2013)
• 2007: Microsoft researchers knew this could happen. Gave talk at CRYPTO ‘07
Lessons for health privacy
Lesson 2: Nothing is sacred • Healthcare data cannot be considered
exempt from interference from state-level actors
• Risk assessments must factor them in (as hard as it is to do)
• CSEC’s relationship with PHIPA unclear
Lessons for health privacy
Lesson 3: Vendors not necessarily working in your interest • Vendors may be cooperating with state-level
actors (voluntarily or involuntarily)
• Verify security claims with SME’s
Lessons for health privacy
Lesson 4: Trust standards only as far as you can throw them • NIST has credibility issues
• Algorithm isn’t necessarily the problem, parameters are
• Need more research into verifiably random parameter selection
Lessons for health privacy
Conclusion • As an organization sharing health data, what
should you do?
• Dual_EC_DRBG fallout seems contained for now, but points to a sinister future
• Healthy dose of skepticism warranted
• Conversation about health data privacy in the face of state-level actors needs to start
Lessons for health privacy
