openssl and NSA backdoor

T.C. Hollingsworth tchollingsworth at gmail.com
Sun Dec 22 00:14:18 UTC 2013


On Sat, Dec 21, 2013 at 1:05 PM, Mike Wright <mike.wright at mailinator.com> wrote:
> I've been trying to find out if the versions of openssl shipped by fedora
> use the "Dual Elliptical Curve" encryption method that RSA so politely (for
> a tidy $um) made default at the request of the US's NSA. That is the
> encryption method with the NSA's very own backdoor.
>
> If so, has it been corrected?  Is openssl even safe to use anymore? What
> about previous versions of fedora?

I'm fairly certain you're referring to Dual_EC_DRBG.  [1]  It is a
psuedorandom number generator, not an "encryption method" in and of
itself.  That being said, good, unguessable random numbers are an
important tenet of modern cryptography.  The issue with Dual_EC_DRBG
is that certain attackers may be able to ascertain its output, thus
potentially weakening any encryption that used random numbers
generated by it.

Please do not confuse it with elliptic curve cryptography in general.
Certain encryption technologies that employ elliptic curve methods may
actually _reduce_ the ability of snooping governments to gain access
to your encrypted data.  [2]

Dual_EC_DRBG is indeed implemented by OpenSSL. [3]  (I cannot say for
certain whether or not it has been patched out by the Fedora OpenSSL
maintainers.)  However, it is not used as the default psuedorandom
number generator for any purpose within it. [3]  So unless you're
forcing OpenSSL to use it by some means, you're fine.

Furthermore, as an OpenSSL developer observes in the above linked
mailing list thread, it is by no means the least secure thing
implemented in OpenSSL.  OpenSSL implements a wide variety of
encryption technologies; it's up to individual programmers to stick
with the safe defaults or be very careful in what they choose
otherwise.

Potential problems with Dual_EC_DRBG were identified long before the
NSA scandal was in the news, so I think it's highly unlikely any open
source software forces its use.  Of course, unless you audit every
line of source code of every piece of software you use, you're always
potentially vulnerable...

Unfortunately, OpenSSL can't just kill off many of these older
not-so-safe methods, as some people are stuck dealing with legacy
equipment/software where poor encryption is better than none at all.
However, they are considering disabling Dual_EC_DRBG nonetheless.

> And what about our certificates?  Are they more or less useless now?

There are no vulnerabilities related to X.509 certificates generated
by OpenSSL (on Fedora or otherwise) that I am aware of.

The closest thing in this vein affected _SSH_ keys generated on Debian
systems between 2006 and 2008. [4]  That was introduced by patches to
openssl by Debian Developers and never affected Fedora/Red Hat
systems.  Incidentally, that fiasco is a great example of the
importance of good random number generation in cryptography.

-T.C.

[1] https://en.wikipedia.org/wiki/Dual_EC_DRBG
[2] https://en.wikipedia.org/wiki/Forward_secrecy
[3] http://openssl.6102.n7.nabble.com/Dual-EC-DRBG-td46628.html
[4] http://research.swtch.com/openssl


More information about the users mailing list