[Dailydave] DUAL_EC Question of the Day

Dave Aitel dave at immunityinc.com
Tue Dec 22 10:05:03 EST 2015

"Know yourself, blah blah blah, always win" - Sun Tzu

So all big companies have a problem - they want to strongly encrypt
their local network, but they also don't want to move ALL of their
network inspection to the endpoints because that scales terribly.
Likewise, you don't want to implement a per-protocol key escrow service,
because that becomes impossible to maintain.

DUAL_EC-aware intrusion detection and analysis systems are the perfect
answer. Every encrypted protocol is "broken", but only to your network
security equipment. People assumed that the NSA wanted a backdoored
random number generator so they could look at other people's traffic,
but of course a plausible answer is that a backdoored random number
generator is even more useful for looking at your own traffic in an
economical way.

If the NSA was watching Juniper VPN traffic to decrypt it, they probably
would have noticed very quickly when it started failing once the
backdoor was put into Juniper equipment, overwriting the Q value. Then
again, we don't know who originally told Juniper there was a backdoor...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20151222/29a0419f/attachment-0001.sig>

More information about the Dailydave mailing list