On 12/22/2013 07:05 AM, Mike Wright wrote:

Hi all,

After Edward Snowden spilled the beans on the NSA I've become extremely paranoid about system security. If not the NSA, who else?

I've been trying to find out if the versions of openssl shipped by fedora use the "Dual Elliptical Curve" encryption method that RSA so politely (for a tidy $um) made default at the request of the US's NSA. That is the encryption method with the NSA's very own backdoor.

If so, has it been corrected? Is openssl even safe to use anymore? What about previous versions of fedora?

And what about our certificates? Are they more or less useless now?

Where do we go from here?

If anybody is up on security I think we'd all like to know what is going on here esp. re fedora.

Thanks *very* much for any help on this, Mike Wright

ps. for spit and giggles maybe everybody ought to take all their non-private email and CC them to the NSA. That will give them something else to do with their time besides wiping their butts on the constitution.

Not so funny thing for me is: When I was helping convert a religious site in the USA to Russian language my email system at bigpond.com eventually had a chronic backlog of emails and could send and receive no more. Translators and reviewers kept getting email return notices that my bigpond email box was full, even though it had no emails in it and bigpond could find no problems. Security advice was that I was and still have all my email addresses monitored. I hope they like the Linux chat and other bland conversations. I think, now that bigpond have gone over to windows server, it'll be far easier to infiltrate, oops, I mean keep tabs on things. Roger

On Sat, Dec 21, 2013 at 1:05 PM, Mike Wright mike.wright@mailinator.com wrote:

I've been trying to find out if the versions of openssl shipped by fedora use the "Dual Elliptical Curve" encryption method that RSA so politely (for a tidy $um) made default at the request of the US's NSA. That is the encryption method with the NSA's very own backdoor.

If so, has it been corrected? Is openssl even safe to use anymore? What about previous versions of fedora?

I'm fairly certain you're referring to Dual_EC_DRBG. [1] It is a psuedorandom number generator, not an "encryption method" in and of itself. That being said, good, unguessable random numbers are an important tenet of modern cryptography. The issue with Dual_EC_DRBG is that certain attackers may be able to ascertain its output, thus potentially weakening any encryption that used random numbers generated by it.

Please do not confuse it with elliptic curve cryptography in general. Certain encryption technologies that employ elliptic curve methods may actually _reduce_ the ability of snooping governments to gain access to your encrypted data. [2]

Dual_EC_DRBG is indeed implemented by OpenSSL. [3] (I cannot say for certain whether or not it has been patched out by the Fedora OpenSSL maintainers.) However, it is not used as the default psuedorandom number generator for any purpose within it. [3] So unless you're forcing OpenSSL to use it by some means, you're fine.

Furthermore, as an OpenSSL developer observes in the above linked mailing list thread, it is by no means the least secure thing implemented in OpenSSL. OpenSSL implements a wide variety of encryption technologies; it's up to individual programmers to stick with the safe defaults or be very careful in what they choose otherwise.

Potential problems with Dual_EC_DRBG were identified long before the NSA scandal was in the news, so I think it's highly unlikely any open source software forces its use. Of course, unless you audit every line of source code of every piece of software you use, you're always potentially vulnerable...

Unfortunately, OpenSSL can't just kill off many of these older not-so-safe methods, as some people are stuck dealing with legacy equipment/software where poor encryption is better than none at all. However, they are considering disabling Dual_EC_DRBG nonetheless.

And what about our certificates? Are they more or less useless now?

There are no vulnerabilities related to X.509 certificates generated by OpenSSL (on Fedora or otherwise) that I am aware of.

The closest thing in this vein affected _SSH_ keys generated on Debian systems between 2006 and 2008. [4] That was introduced by patches to openssl by Debian Developers and never affected Fedora/Red Hat systems. Incidentally, that fiasco is a great example of the importance of good random number generation in cryptography.

-T.C.

[1] https://en.wikipedia.org/wiki/Dual_EC_DRBG [2] https://en.wikipedia.org/wiki/Forward_secrecy [3] http://openssl.6102.n7.nabble.com/Dual-EC-DRBG-td46628.html [4] http://research.swtch.com/openssl