[OTR-users] OTR mentioned in Snowden documents?

Mike Minor mike at firstworldproblems.com
Thu Sep 12 12:32:10 EDT 2013


On Sep 12, 2013, at 8:18 AM, Gregory Maxwell <gmaxwell at gmail.com> wrote:

> On Thu, Sep 12, 2013 at 6:56 AM, Nathan of Guardian
> <nathan at guardianproject.info> wrote:
>> On 09/11/2013 10:47 AM, Mike Minor wrote:
>>> The constant "c49d360886e704936a6678e1139d26b7819f7e90" appears to be a malicious non-random seed for the prime256v1 curve that is found in BouncyCastle.  Are you relying on it in your code?
>> Since we only use DSA, and this appears to be ECC, we are not currently
>> affected in our use of bouncycastle for OTR.
>> 
>> However, I am more curious about where you pulled that suspicious
>> constant from? Do you have direct knowledge of subterfuge or is it an
>> interest of yours to find these types of things?
>> 
>> I ask because finding what is essentially a backdoor in BouncyCastle's
>> ECC is a *big deal*.
> 
> I suspect this is just someone whos seized on a post I made on the tor
> list pointing out that the "provably random" constants used for NIST
> P256r was not very meaningfully provably random.  Its certainly not
> something to be concerned about specific to Bouncy Castle or OTR.
> 

Thanks, Gregory.  You are correct, I first came across this issue from a post of yours on bitcointalk.  It was never my intention to claim this came from me - this is way over my pay grade.

> (It was selected in a way which prevents using an algebraic approach
> to select a unique trapdoored parameter, but does nothing to prevent
> selection of based on secret characteristics which could weaken or
> strengthen the curve, so long as the characteristics in question were
> common enough to find an example through a brute force search on SHA1)

djb discusses this approach in slide 21 of 'Security Dangers of the NIST curves': http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf

In light of the confirmation of the Dual_EC_DRBG maliciousness, I think all NIST constants are suspect.  

Schneier has read something in regard to ECC which has made him distrust the NIST constants.  Putting everything together, it seems a fair bet that your claims are valid.  Thank you for your research in this area.

My goal is to spark discussion as to the methods the NSA might have used to get their OTR 'success' - right after my post, the duh moment hit that OTR doesn't use ECC.  Obviously, this attack would not apply.  I remembered Marlinspike's TextSecure does use Suite B, though.

What are your thoughts regarding the NSA's claim of a 'success' in regards to OTR?


More information about the OTR-users mailing list