On 1/04/2014 22:32 pm, Nico Williams wrote: > On Mon, Mar 31, 2014 at 12:45 PM, Stephen Farrell > <[email protected]> wrote: >> The paper [2] also has more about exploiting dual-ec if you >> know a backdoor that I've not yet read really. > >> [2] http://dualec.org/
"The paper has been temporarily removed. It will return shortly." Does anyone know why the paper has been withdrawn? (I got my copy earlier.) > That paper talks about servers. What is the prevalence of Dual_EC on > the client-side of TLS? > > Assuming most TLS usage involves RSA key transport -a fair assumption > given the well-noted non-use of PFS until recent times- the client's > RNG is more critical than the server's. > > I realize that client-side prevalence is harder to measure. Still, > since Dual_EC was in the Java and SChannel stacks, it seems reasonable > to conclude that client-side Dual_EC penetration was quite high at its > peak, but is that right? Yeah, I wondered about that. The paper tried to do it from outside, accessing web servers. Not a lot else they could do, quickly and efficiently. What might be nice is a downloadable program from a trusted source that scanned the Java & SChannel installs and figured out whether the appropriate slimeware was installed. It would be interesting to find out where, when, why Dual_EC had found itself enabled on various platforms. I wouldn't object if it asked whether it could send a little message saying "YES/NO for abc1234" where the latter is a unique cookie. iang _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
