Take Two Curves
and Call Me in the
Morning:
!

The Story of the NSA’s Dual_EC_DRBG
and its Implications to Health Privacy
...
Feb. 13th, 2014
!

Talk outline
1.

Emergence of the state-level cyber threats	


2.

Background on Dual_EC_DRBG	


3.

Th...
Emergence of
state-level
cyber threats
A new world
• Early 2013: Edward Snowden begins working
with reporters
• June 2013: First reports published in media of
ma...
Mass Surveillance
• Surveillance of communication networks
• PRISM, ECHELON, etc
• Data vs. metadata

http://electrospaces...
ANT Catalogue
• Attacks end-points
• Exploits for major software, hardware, firmware
•

Examples: DROPOUTJEEP, IRATEMONK, I...
http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-...
Hijacking Standards
• Public attempt to backdoor crypto in 90’s
(clipper chip)
• Secretly backdooring crypto standards a n...
Background on
Dual_EC_DRBG
Background
• Random numbers important to cryptographic
protocols
• Used for generating keys, nonces,
initialization vector...
Background
• NIST Special Publications: effort to
standardize DRGB and entropy sources
• Used for FIPS validation. Require...
Elliptic curves

Dual_EC_DRBG Background
Elliptic curves
• Points P, Q: points on the curve
• Point operations: a number times a point
equals another point, P = nQ...
DUAL_EC_DRBG
a
f(aP)
b
f(bP)
c

f(aQ)
f(bQ)
f(cQ)

a’

b’
c’

f(cP)
...

...
Dual_EC_DRBG Background
DUAL_EC_DRBG
a
f(aP)
b
f(bP)
c

f(aQ)
f(bQ)
f(cQ)

a’

b’
c’

• Internal state: a,b,c…
Updated using P
• Output bits: a’,b...
DUAL_EC_DRBG
a
f(aP)
b
f(bP)
c

f(aQ)
f(bQ)
f(cQ)

a’

b’

• MUST HAVE property:
can’t predict predict
next output from
pr...
DUAL_EC_DRBG
a
f(aP)
b
f(bP)
c

f(aQ)
f(bQ)
f(cQ)

a’

b’
c’

f(cP)
...

• MUST HAVE property:
can’t predict predict
next ...
The
backdoor
The backdoor
• Recall P,Q are points on the curve
• That means there is a number n such that
P=nQ

The backdroor
The backdoor
a
f(aP)
b
f(bP)
c

f(aQ)
f(bQ)
f(cQ)

a’

b’

• Use magic number n:
n*(aQ) = a*(nQ) = aP

c’

• With aP, can ...
TLS: we all use it every day
TLS “ClientHello”
Nonce
Nonce

Dual_EC_DRBG

Sees Dual_EC_DRBG output	

Computes internal state

TLS ClientKeyExchange
Enc...
The backdoor
• If P,Q generated randomly, DUAL_EC_DRBG
is secure. If P chosen as P=nQ, a backdoor
exists
• Who generated P...
The
backlash
NIST’s initial response
There has been some confusion about the standards
development process and the role of different or...
Then…
“ NIST strongly recommends that, pending the

resolution of the security concerns and the 	

re-issuance of SP 800-9...
Who implemented it?

http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html

The backlash
Who implemented it?

http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html

The backlash
Who implemented it?
!

• These companies received FIPS validation for
Dual_EC_DRBG implementations
• Does not mean Dual_EC...
Was it anyone’s default?
• Yes. NSA paid RSA $10M
to make Dual_EC_DRBG
the default in their BSAFE
security suite

http://w...
Backlash
• Dual_EC_DRBG pulled by NIST (for now)
• Code yanked from most products
• Researchers boycotting upcoming RSA
co...
Implications
• Only those with knowledge of P=nQ
relationship can exploit this (i.e., NSA)

• CSEC played a role in this s...
Lessons for
health privacy
Lesson 1:
It takes a scandal
• 2004: Certicom knew this could happen.
Filed a patent to generate P,Q randomly (see
USP 8,3...
Lesson 2:
Nothing is sacred
• Healthcare data cannot be considered
exempt from interference from state-level
actors
• Risk...
Lesson 3:
Vendors not necessarily working in your
interest
• Vendors may be cooperating with state-level
actors (voluntari...
Lesson 4:
Trust standards only as far as you can
throw them

• NIST has credibility issues
• Algorithm isn’t necessarily t...
Conclusion
• As an organization sharing health data, what
should you do?
• Dual_EC_DRBG fallout seems contained for
now, b...
Take Two Curves and Call Me in the Morning: The Story of the NSAs Dual_EC_DRBG and its Implications to Health Privacy
Take Two Curves and Call Me in the Morning: The Story of the NSAs Dual_EC_DRBG and its Implications to Health Privacy
Upcoming SlideShare
Loading in …5
×

Take Two Curves and Call Me in the Morning: The Story of the NSAs Dual_EC_DRBG and its Implications to Health Privacy

1,642 views

Published on

Over the last several months a staggering series of revelations have been reported about the wide-reaching efforts of the United States National Security Agency (NSA) to intercept digital communications. Though not surprising to learn the NSA—an intelligence organization—is spying on global targets, the apparent scale and sophistication of their capabilities have been turning heads internationally.

Last September, troubling allegations emerged suggesting the NSA influenced the National Institute of Standards and Technology (NIST) into standardizing a cryptographic primitive with a secret backdoor. If true, the backdoor would provide the NSA with a major advantage in its efforts to snoop communications through something known as the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). Although the ensuing backlash has seen the offending code yanked from most major security products, surprising details about the program continue to emerge.

In this talk we will explain why random bits are crucial to online privacy, and what you could potentially do to people whose "random" bits you can predict. We will talk about Dual_EC_DRBG, and explain how the backdoor works in general terms. Finally, we will discuss some of the implications of state-level adversaries to health privacy and offer some high-level directions for healthcare providers to pursue.

Published in: Health & Medicine
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,642
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Take Two Curves and Call Me in the Morning: The Story of the NSAs Dual_EC_DRBG and its Implications to Health Privacy

  1. 1. Take Two Curves and Call Me in the Morning: ! The Story of the NSA’s Dual_EC_DRBG and its Implications to Health Privacy Aleksander Essex, Ph.D Assistant professor, Western Engineering
  2. 2. Feb. 13th, 2014 ! Talk outline 1. Emergence of the state-level cyber threats 2. Background on Dual_EC_DRBG 3. The backdoor 4. The backlash 5. Lessons for health privacy
  3. 3. Emergence of state-level cyber threats
  4. 4. A new world • Early 2013: Edward Snowden begins working with reporters • June 2013: First reports published in media of mass surveillance program by NSA • December 2013: Only 1% of documents published…. State-level adversaries
  5. 5. Mass Surveillance • Surveillance of communication networks • PRISM, ECHELON, etc • Data vs. metadata http://electrospaces.blogspot.ca/p/nicknames-and-codewords.html http://icons.iconarchive.com/icons/icons-land/vista-hardware-devices/128/Portable-Computer-icon.png State-level adversaries
  6. 6. ANT Catalogue • Attacks end-points • Exploits for major software, hardware, firmware • Examples: DROPOUTJEEP, IRATEMONK, IRONCHEF, DEITYBOUNCE http://electrospaces.blogspot.ca/p/nicknames-and-codewords.html http://icons.iconarchive.com/icons/icons-land/vista-hardware-devices/128/Portable-Computer-icon.png State-level adversaries
  7. 7. http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/ State-level adversaries
  8. 8. Hijacking Standards • Public attempt to backdoor crypto in 90’s (clipper chip) • Secretly backdooring crypto standards a new attack vector Public http://findicons.com/icon/15313/users_2?id=403108 State-level adversaries
  9. 9. Background on Dual_EC_DRBG
  10. 10. Background • Random numbers important to cryptographic protocols • Used for generating keys, nonces, initialization vectors, etc. • Deterministic random bit generators (DRBG) generate random-looking bits based on algorithm Dual_EC_DRBG Background
  11. 11. Background • NIST Special Publications: effort to standardize DRGB and entropy sources • Used for FIPS validation. Required to sell security products to gov’t clients • NIST SP 800-90A specified four DRBGs based on different primitives: block ciphers, HMACs, hashes, and elliptic curves Dual_EC_DRBG Background
  12. 12. Elliptic curves Dual_EC_DRBG Background
  13. 13. Elliptic curves • Points P, Q: points on the curve • Point operations: a number times a point equals another point, P = nQ • Discrete log problem: • Easy to compute P=nQ given n,Q • Hard to compute n given P,Q Dual_EC_DRBG Background
  14. 14. DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ c’ f(cP) ... ... Dual_EC_DRBG Background
  15. 15. DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ c’ • Internal state: a,b,c… Updated using P • Output bits: a’,b’,c’… Updated using Q f(cP) ... ... Dual_EC_DRBG Background
  16. 16. DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ • MUST HAVE property: can’t predict predict next output from previous output c’ f(cP) ... ... Dual_EC_DRBG Background
  17. 17. DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ c’ f(cP) ... • MUST HAVE property: can’t predict predict next output from previous output • You COULD if you knew the internal state… ... Dual_EC_DRBG Background
  18. 18. The backdoor
  19. 19. The backdoor • Recall P,Q are points on the curve • That means there is a number n such that P=nQ The backdroor
  20. 20. The backdoor a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ • Use magic number n: n*(aQ) = a*(nQ) = aP c’ • With aP, can compute b’, c’, … all future values f(cP) ... • Attack: recover internal state ... The backdroor
  21. 21. TLS: we all use it every day
  22. 22. TLS “ClientHello” Nonce Nonce Dual_EC_DRBG Sees Dual_EC_DRBG output Computes internal state TLS ClientKeyExchange Encpk(premaster secret) premaster secret Dual_EC_DRBG Use internal state to compute next output (i.e., premaster secret and hence encryption keys) The backdroor
  23. 23. The backdoor • If P,Q generated randomly, DUAL_EC_DRBG is secure. If P chosen as P=nQ, a backdoor exists • Who generated P,Q in SP 800-90A? NIST? • No. Rather NSA, it would seem The backdroor
  24. 24. The backlash
  25. 25. NIST’s initial response There has been some confusion about the standards development process and the role of different organizations in it. NIST’s mandate is to develop standards and guidelines to protect federal information and information systems. Because of the high degree of confidence in NIST standards, many private industry groups also voluntarily adopt these standards. ! ! http://www.nist.gov/director/cybersecuritystatement-091013.cfm The backlash
  26. 26. Then… “ NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, … no longer be used. http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf The backlash
  27. 27. Who implemented it? http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html The backlash
  28. 28. Who implemented it? http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html The backlash
  29. 29. Who implemented it? ! • These companies received FIPS validation for Dual_EC_DRBG implementations • Does not mean Dual_EC_DRBG enabled by default, used, or even compiled in respective products http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html The backlash
  30. 30. Was it anyone’s default? • Yes. NSA paid RSA $10M to make Dual_EC_DRBG the default in their BSAFE security suite http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
  31. 31. Backlash • Dual_EC_DRBG pulled by NIST (for now) • Code yanked from most products • Researchers boycotting upcoming RSA conference • Long term credibility issues for NIST The backlash
  32. 32. Implications • Only those with knowledge of P=nQ relationship can exploit this (i.e., NSA) • CSEC played a role in this story The backlash
  33. 33. Lessons for health privacy
  34. 34. Lesson 1: It takes a scandal • 2004: Certicom knew this could happen. Filed a patent to generate P,Q randomly (see USP 8,396,213) • 2005: NIST knew this could happen (according to John Kelsey in late 2013) • 2007: Microsoft researchers knew this could happen. Gave talk at CRYPTO ‘07 Lessons for health privacy
  35. 35. Lesson 2: Nothing is sacred • Healthcare data cannot be considered exempt from interference from state-level actors • Risk assessments must factor them in (as hard as it is to do) • CSEC’s relationship with PHIPA unclear Lessons for health privacy
  36. 36. Lesson 3: Vendors not necessarily working in your interest • Vendors may be cooperating with state-level actors (voluntarily or involuntarily) • Verify security claims with SME’s Lessons for health privacy
  37. 37. Lesson 4: Trust standards only as far as you can throw them • NIST has credibility issues • Algorithm isn’t necessarily the problem, parameters are • Need more research into verifiably random parameter selection Lessons for health privacy
  38. 38. Conclusion • As an organization sharing health data, what should you do? • Dual_EC_DRBG fallout seems contained for now, but points to a sinister future • Healthy dose of skepticism warranted • Conversation about health data privacy in the face of state-level actors needs to start Lessons for health privacy

×