On 07 Sep 2013, at 11:26 PM, Steve Marquess
wrote:
> Note that Dual EC DRBG is *NOT* used by default and a calling
> application must specifically and deliberately enable it; that cannot be
> done accidentally. Any application which does so will hopefully be fully
> aware of the consequences (an
Ok this sounds like Dual EC DRBG is not really a problem for someone not
bound to use it.
So what about ECDH, I've read in many places e.g. on this cryptography
mailinglist [1] that
it could be trouble when the curves have been suggested by the NSA.
What about the use of hardware rngs?
[1] http:/
On 09/07/2013 11:32 AM, Gary wrote:
> ...
>
> Here's a list of highlights from Bruce's article back
> then[3]:...
>
> "...
> My recommendation, if you're in need of a random-number generator, is
> not to use Dual_EC_DRBG under any circumstances. If you have to use
> something in SP 800-90, use CT
In a recent Q&A with Bruce Schneier and James Ball (a journalist)[1],
Ball said, "Because the NSA and GCHQ have been influencing standards,
and working to covertly modify code, almost anything could potentially
have been compromised. Something as simple as – hypothetically –
modifying a basic rando
Dear OpenSSL users,
so as most of us probably have, I've read both the Guardian article [1] as
well as Bruce Schneier's comments [2] on the newest revelations. So I was
wondering given what little information is available
what can be done to improve the situation.
Here is my take on what we know: