[Ach] this just happend: On the Practical Exploitability of Dual EC in TLS Implementations
ianG
iang at iang.org
Mon Mar 31 20:12:46 CEST 2014
On 31/03/2014 19:05 pm, Aaron Zauner wrote:
> http://dualec.org/
> http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
>
> look at the list of authors. :)
We also discovered evidence of the implementation in the RSA BSAFE
products of a non-standard TLS extension called “Extended Random.” This
extension, co-written at the request of the National Security Agency,
allows a client to request longer TLS random nonces from the server, a
feature that, if it enabled, would speed up the Dual EC attack by a
factor of up to 65,000. In addition, the use of this extension allows
for for attacks on Dual EC instances configured with P-384 and P-521
elliptic curves, something that is not apparently possible in standard
TLS.,...
If there remains any doubt that the NSA conducted a campaign to rip the
security out of TLS... speak now!
iang
More information about the Ach
mailing list