« The New Phone Metadata Program | Main | Snowden's Self-Incrimination »

Apr 03, 2014


Hello Mr. Baker- First, there is no such thing as "a flaw only NSA can exploit." That doesn't make sense, because a flaw can be exploited by anyone who discovers it, or has downloaded code written by someone else who did. Second, you say that "it’s quite a surprise that no backdoor has been proved." If a backdoor was "proved," that would be the end of that backdoor. Computer security is concerned with backdoors that have been discovered by black hats, but not white hats. Once a backdoor is found, the software is fixed and the backdoor is closed.

Backdoors introduced by anyone, including the NSA, can be used by black hats (bad guys) to do bad guy stuff.

Thank you for this thought-provoking article.

I think the article you cite does not quantify the number of potentially backdoored servers well at all; it could be 720, or 720 + 12%, or any larger number. Certainly the media has exaggerated the threat, as they always do.

Zmap is not a company that scans servers. It is a program you can download and run on your own system to scan the Internet. And only if you have a very fast Internet connection (gigabit) can it do so in an hour.


The reason it is a flaw that only the NSA can exploit, is because the alleged flaw in the protocol requires knowledge of two secret parameters that are used to generate a number built into the protocol.

If someone has knowledge of these two secret parameters - according to the 2007 paper by Microsoft research - the NSA would be able to quickly predict the numbers outputted by Dual_EC_DRBG. Without knowledge of the secret parameters, Dual_EC_DRBG is a fairly safe algorithm to use for key generation.

So that tells us that if the NSA kept hold of these two secret parameters, they can break it easily - but a better question is can someone who ISN'T the NSA find out what the secret numbers are to break it easily?

The answer here is a categorical no: using the power of math we can show that deducing the secret parameters given the public number in Dual_EC_DRBG is equal to a problem called the Discrete Log Problem - a provably hard problem to solve. In fact, if you can find a fast algorithm to find the secret numbers in Dual_EC_DRBG, that same algorithm will find you Gmail's private key equally fast (because Gmail uses Elliptic Curve Cryptography, which is based on the same hard problem).

This is why this is a flaw "only the NSA can exploit". If the NSA kept a hold of those secret parameters, they can break Dual_EC_DRBG. But if you're not the NSA, you need to solve the Discrete Log Problem on the public number in Dual_EC_DRBG to get the secret parameters to break it, a problem equally hard as breaking Gmail's private key.

The comments to this entry are closed.