Phil Pennock

Phil is a grumpy troll, sysadmin developer reliability engineer devopsy something-or-other.

Dec 2015

Elliptical Curveball

by in CodeSOD on

Why is it that you hear people saying, “don’t roll your own crypto”? It can’t be that bad, right? I mean, if the code gives the correct outputs when given the correct inputs?

Everything in cryptography depends upon “high quality” random numbers, and lots of them. People get into semi-informed flamewars about what “entropy” means, government agencies sneak backdoors into algorithms, performance matters, secrecy matters, and unpredictability matters. The standard which defines four randomness generators is NIST Special Publication 800–90. One of the four raised suspicions because it (Dual_EC_DRBG) was three times slower than any of the others.