Take Two Curves and Call Me in the Morning: The Story of the NSAs Dual_EC_DRBG and its Implications to Health Privacy

50 %
50 %
Information about Take Two Curves and Call Me in the Morning: The Story of the NSAs...
Health & Medicine

Published on February 18, 2014

Author: kelemam

Source: slideshare.net

Description

Over the last several months a staggering series of revelations have been reported about the wide-reaching efforts of the United States National Security Agency (NSA) to intercept digital communications. Though not surprising to learn the NSA—an intelligence organization—is spying on global targets, the apparent scale and sophistication of their capabilities have been turning heads internationally.

Last September, troubling allegations emerged suggesting the NSA influenced the National Institute of Standards and Technology (NIST) into standardizing a cryptographic primitive with a secret backdoor. If true, the backdoor would provide the NSA with a major advantage in its efforts to snoop communications through something known as the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). Although the ensuing backlash has seen the offending code yanked from most major security products, surprising details about the program continue to emerge.

In this talk we will explain why random bits are crucial to online privacy, and what you could potentially do to people whose "random" bits you can predict. We will talk about Dual_EC_DRBG, and explain how the backdoor works in general terms. Finally, we will discuss some of the implications of state-level adversaries to health privacy and offer some high-level directions for healthcare providers to pursue.

Take Two Curves and Call Me in the Morning: ! The Story of the NSA’s Dual_EC_DRBG and its Implications to Health Privacy Aleksander Essex, Ph.D Assistant professor, Western Engineering

Feb. 13th, 2014 ! Talk outline 1. Emergence of the state-level cyber threats 2. Background on Dual_EC_DRBG 3. The backdoor 4. The backlash 5. Lessons for health privacy

Emergence of state-level cyber threats

A new world • Early 2013: Edward Snowden begins working with reporters • June 2013: First reports published in media of mass surveillance program by NSA • December 2013: Only 1% of documents published…. State-level adversaries

Mass Surveillance • Surveillance of communication networks • PRISM, ECHELON, etc • Data vs. metadata http://electrospaces.blogspot.ca/p/nicknames-and-codewords.html http://icons.iconarchive.com/icons/icons-land/vista-hardware-devices/128/Portable-Computer-icon.png State-level adversaries

ANT Catalogue • Attacks end-points • Exploits for major software, hardware, firmware • Examples: DROPOUTJEEP, IRATEMONK, IRONCHEF, DEITYBOUNCE http://electrospaces.blogspot.ca/p/nicknames-and-codewords.html http://icons.iconarchive.com/icons/icons-land/vista-hardware-devices/128/Portable-Computer-icon.png State-level adversaries

http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/ State-level adversaries

Hijacking Standards • Public attempt to backdoor crypto in 90’s (clipper chip) • Secretly backdooring crypto standards a new attack vector Public http://findicons.com/icon/15313/users_2?id=403108 State-level adversaries

Background on Dual_EC_DRBG

Background • Random numbers important to cryptographic protocols • Used for generating keys, nonces, initialization vectors, etc. • Deterministic random bit generators (DRBG) generate random-looking bits based on algorithm Dual_EC_DRBG Background

Background • NIST Special Publications: effort to standardize DRGB and entropy sources • Used for FIPS validation. Required to sell security products to gov’t clients • NIST SP 800-90A specified four DRBGs based on different primitives: block ciphers, HMACs, hashes, and elliptic curves Dual_EC_DRBG Background

Elliptic curves Dual_EC_DRBG Background

Elliptic curves • Points P, Q: points on the curve • Point operations: a number times a point equals another point, P = nQ • Discrete log problem: • Easy to compute P=nQ given n,Q • Hard to compute n given P,Q Dual_EC_DRBG Background

DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ c’ f(cP) ... ... Dual_EC_DRBG Background

DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ c’ • Internal state: a,b,c… Updated using P • Output bits: a’,b’,c’… Updated using Q f(cP) ... ... Dual_EC_DRBG Background

DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ • MUST HAVE property: can’t predict predict next output from previous output c’ f(cP) ... ... Dual_EC_DRBG Background

DUAL_EC_DRBG a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ c’ f(cP) ... • MUST HAVE property: can’t predict predict next output from previous output • You COULD if you knew the internal state… ... Dual_EC_DRBG Background

The backdoor

The backdoor • Recall P,Q are points on the curve • That means there is a number n such that P=nQ The backdroor

The backdoor a f(aP) b f(bP) c f(aQ) f(bQ) f(cQ) a’ b’ • Use magic number n: n*(aQ) = a*(nQ) = aP c’ • With aP, can compute b’, c’, … all future values f(cP) ... • Attack: recover internal state ... The backdroor

TLS: we all use it every day

TLS “ClientHello” Nonce Nonce Dual_EC_DRBG Sees Dual_EC_DRBG output Computes internal state TLS ClientKeyExchange Encpk(premaster secret) premaster secret Dual_EC_DRBG Use internal state to compute next output (i.e., premaster secret and hence encryption keys) The backdroor

The backdoor • If P,Q generated randomly, DUAL_EC_DRBG is secure. If P chosen as P=nQ, a backdoor exists • Who generated P,Q in SP 800-90A? NIST? • No. Rather NSA, it would seem The backdroor

The backlash

NIST’s initial response There has been some confusion about the standards development process and the role of different organizations in it. NIST’s mandate is to develop standards and guidelines to protect federal information and information systems. Because of the high degree of confidence in NIST standards, many private industry groups also voluntarily adopt these standards. ! ! http://www.nist.gov/director/cybersecuritystatement-091013.cfm The backlash

Then… “ NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, … no longer be used. http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf The backlash

Who implemented it? http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html The backlash

Who implemented it? http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html The backlash

Who implemented it? ! • These companies received FIPS validation for Dual_EC_DRBG implementations • Does not mean Dual_EC_DRBG enabled by default, used, or even compiled in respective products http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html The backlash

Was it anyone’s default? • Yes. NSA paid RSA $10M to make Dual_EC_DRBG the default in their BSAFE security suite http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

Backlash • Dual_EC_DRBG pulled by NIST (for now) • Code yanked from most products • Researchers boycotting upcoming RSA conference • Long term credibility issues for NIST The backlash

Implications • Only those with knowledge of P=nQ relationship can exploit this (i.e., NSA) • CSEC played a role in this story The backlash

Lessons for health privacy

Lesson 1: It takes a scandal • 2004: Certicom knew this could happen. Filed a patent to generate P,Q randomly (see USP 8,396,213) • 2005: NIST knew this could happen (according to John Kelsey in late 2013) • 2007: Microsoft researchers knew this could happen. Gave talk at CRYPTO ‘07 Lessons for health privacy

Lesson 2: Nothing is sacred • Healthcare data cannot be considered exempt from interference from state-level actors • Risk assessments must factor them in (as hard as it is to do) • CSEC’s relationship with PHIPA unclear Lessons for health privacy

Lesson 3: Vendors not necessarily working in your interest • Vendors may be cooperating with state-level actors (voluntarily or involuntarily) • Verify security claims with SME’s Lessons for health privacy

Lesson 4: Trust standards only as far as you can throw them • NIST has credibility issues • Algorithm isn’t necessarily the problem, parameters are • Need more research into verifiably random parameter selection Lessons for health privacy

Conclusion • As an organization sharing health data, what should you do? • Dual_EC_DRBG fallout seems contained for now, but points to a sinister future • Healthy dose of skepticism warranted • Conversation about health data privacy in the face of state-level actors needs to start Lessons for health privacy

Add a comment

Related presentations

Related pages

Take Two Curves and Call Me in the Morning: The Story of ...

Take Two Curves and Call Me in the Morning: The Story of the NSA’s Dual_EC_DRBG and its Implications to Health ... its Implications to Health Privacy.
Read more

Webinars - Electronic Health Information Laboratory

... “Take Two Curves and Call Me in the Morning: The Story of the NSA’s Dual_EC_DRBG and its Implications to Health ... Senior Health Privacy ...
Read more

Curves: About Curves - Get the Skinny - Curves Women's ...

There are two main reasons for Curves ... † Curves has teamed up with America's health and wellness expert Jillian Michaels to launch ... Privacy Policy ...
Read more

TAKING BACK SUNDAY lyrics - AZLyrics - Song Lyrics from A to Z

TAKING BACK SUNDAY lyrics ... Sink Into Me Lonely, Lonely Summer, Man Swing ... You Got Me Call Me In The Morning
Read more

Demand Curve - NetMBA Business Knowledge Center

By convention, the demand curve displays quantity demanded as the independent variable (the x axis) and price as the dependent variable (the y axis).
Read more

Brain Basics: Understanding Sleep : National Institute of ...

Brain Basics: Understanding Sleep. ... By morning, people spend nearly ... illogical experiences we call dreams almost always occur during REM ...
Read more

Curves Women's Weight Loss via Fitness, Meal Plan and Coaching

or Call 1.800.CURVES30. 30 ... It’s the month of love and there’s no better way to love YOURSELF than by getting in a workout at Curves! Check out ...
Read more

Actonel: Uses, Dosage & Side Effects Guide - Drugs.com

Do not take two different strengths of Actonel tablet ... Wait until the following morning to take the medicine ... Stop using Actonel and call your ...
Read more