[OTR-users] OTR mentioned in Snowden documents?
Gregory Maxwell
gmaxwell at gmail.com
Thu Sep 12 11:18:48 EDT 2013
On Thu, Sep 12, 2013 at 6:56 AM, Nathan of Guardian
<nathan at guardianproject.info> wrote:
> On 09/11/2013 10:47 AM, Mike Minor wrote:
>> The constant "c49d360886e704936a6678e1139d26b7819f7e90" appears to be a malicious non-random seed for the prime256v1 curve that is found in BouncyCastle. Are you relying on it in your code?
> Since we only use DSA, and this appears to be ECC, we are not currently
> affected in our use of bouncycastle for OTR.
>
> However, I am more curious about where you pulled that suspicious
> constant from? Do you have direct knowledge of subterfuge or is it an
> interest of yours to find these types of things?
>
> I ask because finding what is essentially a backdoor in BouncyCastle's
> ECC is a *big deal*.
I suspect this is just someone whos seized on a post I made on the tor
list pointing out that the "provably random" constants used for NIST
P256r was not very meaningfully provably random. Its certainly not
something to be concerned about specific to Bouncy Castle or OTR.
(It was selected in a way which prevents using an algebraic approach
to select a unique trapdoored parameter, but does nothing to prevent
selection of based on secret characteristics which could weaken or
strengthen the curve, so long as the characteristics in question were
common enough to find an example through a brute force search on SHA1)
More information about the OTR-users
mailing list