[Ach] this just happend: On the Practical Exploitability of Dual EC in TLS Implementations

ianG iang at iang.org
Mon Mar 31 20:12:46 CEST 2014

On 31/03/2014 19:05 pm, Aaron Zauner wrote:
> http://dualec.org/
> http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
> look at the list of authors. :)

We also discovered evidence of the implementation in the RSA BSAFE
products of a non-standard TLS extension called “Extended Random.” This
extension, co-written at the request of the National Security Agency,
allows a client to request longer TLS random nonces from the server, a
feature that, if it enabled, would speed up the Dual EC attack by a
factor of up to 65,000. In addition, the use of this extension allows
for for attacks on Dual EC instances configured with P-384 and P-521
elliptic curves, something that is not apparently possible in standard

If there remains any doubt that the NSA conducted a campaign to rip the
security out of TLS...  speak now!


More information about the Ach mailing list