双椭圆曲线确定性随机比特生成器
双椭圆曲线确定性随机比特生成器(Dual Elliptic Curve Deterministic Random Bit Generator,Dual_EC_DRBG)[1] ,是一种使用椭圆曲线密码学实现的密码学安全伪随机数生成器(CSPRNG)。该算法自2006年6月左右被公开,尽管受到了大量密码学家们的批评,并被认为存在潜在的后门,但直到2017年被撤销之前,Dual_EC_DRBG在七年的时间内都是NIST SP 800-90A定义的4个(现为3个)标准的CSPRNG之一。
参见
- 密码学安全伪随机数生成器
- 随机数生成器攻击
- Crypto AG:一家主要从事通信和信息安全的瑞士公司,该公司长期受美国中央情报局与德国联邦情报局的直接控制,并在其加密机中插入后门[2]。
参考文献
- ^ Recommendations for Random Number Generation Using Deterministic Random Bit Generators (Revised) (PDF). National Institute of Standards and Technology. January 2012 [2018-03-03]. NIST SP 800-90. (原始内容存档 (PDF)于2013-10-09).
- ^ How the CIA used Crypto AG encryption devices to spy on countries for decades - Washington Post. www.washingtonpost.com. 2020-02-11 [2020-02-13]. (原始内容存档于2020-02-11).
外部链接
- NIST SP 800-90A - Recommendation for Random Number Generation Using Deterministic Random Bit Generators(页面存档备份,存于互联网档案馆)
- Dual EC DRBG(页面存档备份,存于互联网档案馆) - Collection of Dual_EC_DRBG information, by Daniel J. Bernstein, Tanja Lange, and Ruben Niederhagen.
- On the Practical Exploitability of Dual EC in TLS Implementations(页面存档备份,存于互联网档案馆) - Key research paper by Stephen Checkoway et al.
- The prevalence of kleptographic attacks on discrete-log based cryptosystems(页面存档备份,存于互联网档案馆) - Adam L. Young, Moti Yung (1997)
- United States Patent Application Publication US 2007189527,Brown, Daniel R. L. & Vanstone, Scott A.,“Elliptic curve random number generation” on the Dual_EC_DRBG backdoor, and ways to negate the backdoor.
- Comments on Dual-EC-DRBG/NIST SP 800-90, Draft December 2005 Kristian Gjøsteen's March 2006 paper concluding that Dual_EC_DRBG is predictable, and therefore insecure.
- A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator(页面存档备份,存于互联网档案馆) Daniel R. L. Brown and Kristian Gjøsteen's 2007 security analysis of Dual_EC_DRBG. Though at least Brown was aware of the backdoor (from his 2005 patent), the backdoor is not explicitly mentioned. Use of non-backdoored constants and a greater output bit truncation than Dual_EC_DRBG specifies are assumed.
- On the Possibility of a Back Door in the NIST SP800-90 Dual Ec Prng(页面存档备份,存于互联网档案馆) Dan Shumow and Niels Ferguson's presentation, which made the potential backdoor widely known.
- The Many Flaws of Dual_EC_DRBG(页面存档备份,存于互联网档案馆) - Matthew Green's simplified explanation of how and why the backdoor works.
- A few more notes on NSA random number generators(页面存档备份,存于互联网档案馆) - Matthew Green
- Sorry, RSA, I'm just not buying it(页面存档备份,存于互联网档案馆) - Summary and timeline of Dual_EC_DRBG and public knowledge.
- [//web.archive.org/web/20160818132539/http://www.ietf.org/mail-archive/web/cfrg/current/msg03651.html 页面存档备份,存于互联网档案馆) [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]] A December 2013 email by Daniel R. L. Brown defending Dual_EC_DRBG and the standard process.