Ciao a tutti. vorrei segnalarvi questo articolo di Matthew Green, docente di crittografia alla università Johns Hopkins https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-ext... non credo sia passato in lista a suo tempo, ma provo a farne una rapida sintesi comprensibile per tutti (i titoletti in italiano sono miei). L'unica cosa su cui non concordo con l'autore è il ruolo giocato dal controllo delle stampanti nello spionaggio internazionale, che secondo me Green sottovaluta enormemente. Comunque la storia diventa particolarmente divertente (ed inquietante) ritrovando queste backdoor create dal NSA in alcuni prodotti di Jupiner Networks "su richiesta di un cliente" e resa pubblica nel 2015, come riportato in questa recente lettera del senatore Wyden al NSA https://www.wyden.senate.gov/imo/media/doc/012921%20Wyden%20Booker%20Letter%... Poveri Stati Uniti! Deve esser brutto vedere le proprie armi di sorveglianza in mani altrui! Giacomo ___ # Premesse I’ve written about the topic of cryptographic backdoors way too much. In 2013, the Snowden revelations revealed the existence of a campaign to sabotage U.S. encryption systems. Since that time, cryptographers have spent thousands of hours identifying, documenting, and trying to convince people to care about these backdoors. [...] you never really get absolute proof. There’s always some innocent or coincidental explanation that could sort of fit the evidence — maybe it was all a stupid mistake. So you look for patterns of unlikely coincidences, and use Occam’s razor a lot. You don’t get a Snowden every day. [...] # Antefatti tecnico-politici Dual EC DRBG [...] was a proposed random number generator that the NSA developed in the early 2000s. It was standardized by NIST in 2007, and later deployed in some important cryptographic products — though we didn’t know it at the time. Dual EC has a major problem, which is that it likely contains a backdoor. This was pointed out in 2007 by Shumow and Ferguson, and effectively confirmed by the Snowden leaks in 2013. Drama ensued. NIST responded by pulling the standard. [...] Somewhere around this time the world learned that RSA Security had made Dual EC the default random number generator in their popular cryptographic library, which was called BSAFE. [...] In late 2013, Reuters reported that RSA had taken $10 million to backdoor their software. RSA sort of denies this. Or something. It’s not really clear. Regardless of the intention, it’s known that RSA BSAFE did incorporate Dual EC. [...] # Il problema Extended Random [...] increases the amount of random data (“nonces”) used in a TLS protocol connection. [...] when that random data is generated using the Dual EC algorithm [...] this extra data significantly increase the efficiency of decrypting TLS connections. [...] # La soluzione? ... Despite the fact that we found Extended Random in RSA BSAFE (a free version we downloaded from the Internet), a fly in the ointment was that it didn’t actually seem to be enabled. That is: the code was there but the switches to enable it were hard-coded to “off”. [...] # ...o la copertura? It turns out that certain Canon printers are failing to respond properly to connections made using the new version of TLS (which is called 1.3), because they seem to have implemented an unauthorized TLS extension using the same number as an extension that TLS 1.3 needs in order to operate correctly. [...] in short, this news appears to demonstrate that commercial (non-free) versions of RSA BSAFE did deploy the Extended Random extension, and made it active within third-party commercial products. [...] specifically off-the-shelf commercial printers # La morale Which brings us to the moral of the story: not only are cryptographic backdoors a terrible idea, but they totally screw up the assigned numbering system for future versions of your protocol. Actually no, that’s a pretty useless moral. Instead, let’s just say that you can deploy a cryptographic backdoor, but it’s awfully hard to control where it will end up.