Your SlideShare is downloading. ×
  • Like
Take Two Curves and Call Me in the Morning: The Story of the NSAs Dual_EC_DRBG and its Implications to Health Privacy
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Take Two Curves and Call Me in the Morning: The Story of the NSAs Dual_EC_DRBG and its Implications to Health Privacy

  • 886 views
Published

Over the last several months a staggering series of revelations have been reported about the wide-reaching efforts of the United States National Security Agency (NSA) to intercept digital …

Over the last several months a staggering series of revelations have been reported about the wide-reaching efforts of the United States National Security Agency (NSA) to intercept digital communications. Though not surprising to learn the NSA—an intelligence organization—is spying on global targets, the apparent scale and sophistication of their capabilities have been turning heads internationally.

Last September, troubling allegations emerged suggesting the NSA influenced the National Institute of Standards and Technology (NIST) into standardizing a cryptographic primitive with a secret backdoor. If true, the backdoor would provide the NSA with a major advantage in its efforts to snoop communications through something known as the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). Although the ensuing backlash has seen the offending code yanked from most major security products, surprising details about the program continue to emerge.

In this talk we will explain why random bits are crucial to online privacy, and what you could potentially do to people whose "random" bits you can predict. We will talk about Dual_EC_DRBG, and explain how the backdoor works in general terms. Finally, we will discuss some of the implications of state-level adversaries to health privacy and offer some high-level directions for healthcare providers to pursue.

Published in Health & Medicine
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
886
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Take Two Curves and Call Me in the Morning: ! The Story of the NSA’s Dual_EC_DRBG and its Implications to Health Privacy Aleksander Essex, Ph.D Assistant professor, Western Engineering
  • 2. Feb. 13th, 2014 ! Talk outline 1. Emergence of the state-level cyber threats 2. Background on Dual_EC_DRBG 3. The backdoor 4. The backlash 5. Lessons for health privacy
  • 3. Emergence of state-level cyber threats
  • 4. A new world • Early 2013: Edward Snowden begins working with reporters • June 2013: First reports published in media of mass surveillance program by NSA • December 2013: Only 1% of documents published…. State-level adversaries
  • 5. Mass Surveillance • Surveillance of communication networks • PRISM, ECHELON, etc • Data vs. metadata http://electrospaces.blogspot.ca/p/nicknames-and-codewords.html http://icons.iconarchive.com/icons/icons-land/vista-hardware-devices/128/Portable-Computer-icon.png State-level adversaries
  • 6. ANT Catalogue • Attacks end-points • Exploits for major software, hardware, firmware • Examples: DROPOUTJEEP, IRATEMONK, IRONCHEF, DEITYBOUNCE http://electrospaces.blogspot.ca/p/nicknames-and-codewords.html http://icons.iconarchive.com/icons/icons-land/vista-hardware-devices/128/Portable-Computer-icon.png State-level adversaries
  • 7. http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/ State-level adversaries
  • 8. Hijacking Standards • Public attempt to backdoor crypto in 90’s (clipper chip) • Secretly backdooring crypto standards a new attack vector Public http://findicons.com/icon/15313/users_2?id=403108 State-level adversaries
  • 9. Background on Dual_EC_DRBG
  • 10. Background • Random numbers important to cryptographic protocols • Used for generating keys, nonces, initialization vectors, etc. • Deterministic random bit generators (DRBG) generate random-looking bits based on algorithm Dual_EC_DRBG Background
  • 11. Background • NIST Special Publications: effort to standardize DRGB and entropy sources • Used for FIPS validation. Required to sell security products to gov’t clients • NIST SP 800-90A specified four DRBGs based on different primitives: block ciphers, HMACs, hashes, and elliptic curves Dual_EC_DRBG Background
  • 12. Elliptic curves Dual_EC_DRBG Background
  • 13. Elliptic curves • Points P, Q: points on the curve • Point operations: a number times a point equals another point, P = nQ • Discrete log problem: • Easy to compute P=nQ given n,Q • Hard to compute n given P,Q Dual_EC_DRBG Background
  • 14. DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ c’ f(cP) ... ... Dual_EC_DRBG Background
  • 15. DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ c’ • Internal state: a,b,c… Updated using P • Output bits: a’,b’,c’… Updated using Q f(cP) ... ... Dual_EC_DRBG Background
  • 16. DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ • MUST HAVE property: can’t predict predict next output from previous output c’ f(cP) ... ... Dual_EC_DRBG Background
  • 17. DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ c’ f(cP) ... • MUST HAVE property: can’t predict predict next output from previous output • You COULD if you knew the internal state… ... Dual_EC_DRBG Background
  • 18. The backdoor
  • 19. The backdoor • Recall P,Q are points on the curve • That means there is a number n such that P=nQ The backdroor
  • 20. The backdoor a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ • Use magic number n: n*(aQ) = a*(nQ) = aP c’ • With aP, can compute b’, c’, … all future values f(cP) ... • Attack: recover internal state ... The backdroor
  • 21. TLS: we all use it every day
  • 22. TLS “ClientHello” Nonce Nonce Dual_EC_DRBG Sees Dual_EC_DRBG output Computes internal state TLS ClientKeyExchange Encpk(premaster secret) premaster secret Dual_EC_DRBG Use internal state to compute next output (i.e., premaster secret and hence encryption keys) The backdroor
  • 23. The backdoor • If P,Q generated randomly, DUAL_EC_DRBG is secure. If P chosen as P=nQ, a backdoor exists • Who generated P,Q in SP 800-90A? NIST? • No. Rather NSA, it would seem The backdroor
  • 24. The backlash
  • 25. NIST’s initial response There has been some confusion about the standards development process and the role of different organizations in it. NIST’s mandate is to develop standards and guidelines to protect federal information and information systems. Because of the high degree of confidence in NIST standards, many private industry groups also voluntarily adopt these standards. ! ! http://www.nist.gov/director/cybersecuritystatement-091013.cfm The backlash
  • 26. Then… “ NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, … no longer be used. http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf The backlash
  • 27. Who implemented it? http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html The backlash
  • 28. Who implemented it? http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html The backlash
  • 29. Who implemented it? ! • These companies received FIPS validation for Dual_EC_DRBG implementations • Does not mean Dual_EC_DRBG enabled by default, used, or even compiled in respective products http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html The backlash
  • 30. Was it anyone’s default? • Yes. NSA paid RSA $10M to make Dual_EC_DRBG the default in their BSAFE security suite http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
  • 31. Backlash • Dual_EC_DRBG pulled by NIST (for now) • Code yanked from most products • Researchers boycotting upcoming RSA conference • Long term credibility issues for NIST The backlash
  • 32. Implications • Only those with knowledge of P=nQ relationship can exploit this (i.e., NSA) • CSEC played a role in this story The backlash
  • 33. Lessons for health privacy
  • 34. Lesson 1: It takes a scandal • 2004: Certicom knew this could happen. Filed a patent to generate P,Q randomly (see USP 8,396,213) • 2005: NIST knew this could happen (according to John Kelsey in late 2013) • 2007: Microsoft researchers knew this could happen. Gave talk at CRYPTO ‘07 Lessons for health privacy
  • 35. Lesson 2: Nothing is sacred • Healthcare data cannot be considered exempt from interference from state-level actors • Risk assessments must factor them in (as hard as it is to do) • CSEC’s relationship with PHIPA unclear Lessons for health privacy
  • 36. Lesson 3: Vendors not necessarily working in your interest • Vendors may be cooperating with state-level actors (voluntarily or involuntarily) • Verify security claims with SME’s Lessons for health privacy
  • 37. Lesson 4: Trust standards only as far as you can throw them • NIST has credibility issues • Algorithm isn’t necessarily the problem, parameters are • Need more research into verifiably random parameter selection Lessons for health privacy
  • 38. Conclusion • As an organization sharing health data, what should you do? • Dual_EC_DRBG fallout seems contained for now, but points to a sinister future • Healthy dose of skepticism warranted • Conversation about health data privacy in the face of state-level actors needs to start Lessons for health privacy