On Sat, Dec 21, 2013 at 1:05 PM, Mike Wright <mike.wright@xxxxxxxxxxxxxx> wrote: > I've been trying to find out if the versions of openssl shipped by fedora > use the "Dual Elliptical Curve" encryption method that RSA so politely (for > a tidy $um) made default at the request of the US's NSA. That is the > encryption method with the NSA's very own backdoor. > > If so, has it been corrected? Is openssl even safe to use anymore? What > about previous versions of fedora? I'm fairly certain you're referring to Dual_EC_DRBG. [1] It is a psuedorandom number generator, not an "encryption method" in and of itself. That being said, good, unguessable random numbers are an important tenet of modern cryptography. The issue with Dual_EC_DRBG is that certain attackers may be able to ascertain its output, thus potentially weakening any encryption that used random numbers generated by it. Please do not confuse it with elliptic curve cryptography in general. Certain encryption technologies that employ elliptic curve methods may actually _reduce_ the ability of snooping governments to gain access to your encrypted data. [2] Dual_EC_DRBG is indeed implemented by OpenSSL. [3] (I cannot say for certain whether or not it has been patched out by the Fedora OpenSSL maintainers.) However, it is not used as the default psuedorandom number generator for any purpose within it. [3] So unless you're forcing OpenSSL to use it by some means, you're fine. Furthermore, as an OpenSSL developer observes in the above linked mailing list thread, it is by no means the least secure thing implemented in OpenSSL. OpenSSL implements a wide variety of encryption technologies; it's up to individual programmers to stick with the safe defaults or be very careful in what they choose otherwise. Potential problems with Dual_EC_DRBG were identified long before the NSA scandal was in the news, so I think it's highly unlikely any open source software forces its use. Of course, unless you audit every line of source code of every piece of software you use, you're always potentially vulnerable... Unfortunately, OpenSSL can't just kill off many of these older not-so-safe methods, as some people are stuck dealing with legacy equipment/software where poor encryption is better than none at all. However, they are considering disabling Dual_EC_DRBG nonetheless. > And what about our certificates? Are they more or less useless now? There are no vulnerabilities related to X.509 certificates generated by OpenSSL (on Fedora or otherwise) that I am aware of. The closest thing in this vein affected _SSH_ keys generated on Debian systems between 2006 and 2008. [4] That was introduced by patches to openssl by Debian Developers and never affected Fedora/Red Hat systems. Incidentally, that fiasco is a great example of the importance of good random number generation in cryptography. -T.C. [1] https://en.wikipedia.org/wiki/Dual_EC_DRBG [2] https://en.wikipedia.org/wiki/Forward_secrecy [3] http://openssl.6102.n7.nabble.com/Dual-EC-DRBG-td46628.html [4] http://research.swtch.com/openssl -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
