Why did we implement Dual EC DRBG in the first place?
- ----------------------------------------------------
It was requested by a sponsor as one of several deliverables. The
reasoning at the time (my reasoning and call as the project manager)
was that we would implement any algorithm based on official published
standards. SP800-90A is a more or less mandatory part of FIPS 140-2,
for any module of non-trivial complexity. FIPS 140-2 validations are
expensive and difficult, taking on average a year to complete and we
have to wait years between validations. So, there is an incentive to
pack as much as possible into each validation and our sponsors (dozens
of them) had a long list of requirements they were willing to fund.
We knew at the time (this was the pre-Snowden era) that Dual EC DRBG
had a dubious reputation, but it was part of an official standard (one
of the four DRBGs in SP800-90A) and OpenSSL is after all a comprehensive
cryptographic library and toolkit. As such it implements many algorithms
of varying strength and utility, from worthless to robust. We of course
did not enable Dual EC DRBG by default, and the discovery of this bug
demonstrates that no one has even attempted to use it.
Where did our implementation come from?
- --------------------------------------
The client requirement was simply "Implement all of SP800-90A". Our code
was implemented solely from that standard.
Seems fair enough if a client says "implement all the standard" that they implemented it... it's a bit different than "just add this one algorithm"
This "explanation" is misdirection. The accusation was never that the NSA wanted to add just this one bust algorithm. The NSA, acting as a client protected by privacy, could have easily invested time and money to be a significant contributor, with a small, hidden, 1 time payload.
I fail to see how it's misdirection. OpenSSL have explained, clearly, what they were paid for - and it seems entirely reasonable to implement everything, especially given - as that post shows - that the duff algorithm was really quite hard to use unless you really tried.
Additionally, given the trouble Theo's got into on a number of occasions for criticisng bits of the government, it seems fairly unlikely that he would've been comfortable with the project taking NSA money.
Most plausible situation: Corporation said "here's money, implement ALL the things", OpenSSL figured it was a good way to get the useful things paid for plus some stuff that potential future sponsors might find useful in marketing material.
As for whether said Corporation had additional, non-obvious motives, I make no guess either way.
But misdirection does not, frankly, seem appropriate to describe the explanation given, and your scare quotes suggest you're appealing to emotion rather than presenting an actual argument. Do feel free to present one if you have one, though, it's entirely possible I misunderstood.
1) Were flaws introduced into the technology which potentially reduce the strength of the encryption?
2) Did OpenSSL know about it?
It seems the answers can be yes and no without any real stretch.
If you are, say, the NSA, asking / paying for a whole standard to be implemented (a) gets the bit you want implemented and (b) hides what you're really interested in from anyone wondering and looks less suspicious. Once it's in they could either start pushing for it to become a default, push for people to voluntarily choose it (get people speaking at conferences to recommend it or whatever), or just leave it knowing that a few people would use it and that works for them too.
But the fact that OpenSSL probably weren't complicit doesn't change the fact that elements of the product need to be considered potentially flawed.
1) the mailing list post states that OpenSSL wants to be comprehensive, even when that means providing implementations of algorithms that you probably shouldn't use. The inclusion of weak, or even broken, algorithms does not undermine the product as a whole given this mission. It has no impact on the effectiveness of other, stronger algorithms in OpenSSL.
2) OpenSSL knew that one of the algorithms in the standard was weak, but thought it was still valuable to implement the standard. again, the comprehensiveness goal means it's up to the end users to utilize OpenSSL in a manner consistent with their use case.
You're reading too much into this. FIPS-140 validation is required for many applications in areas like healthcare and banking. FIPS compliance is also required for most state/local government applications as well.
I believe you need to be compliant with everything in the spec to be validated.
It's pretty obvious that the 'client' was indeed the NSA. They say they can't reveal who the client is because of the NDA. If the client was NOT the NSA they could simply say so. But they didn't...
Steve Marquess, the originator of that post on nabble, is the main point of contact for OpenSSL commercial contracting. It's interesting that he used that phrasing.
