This presentation examines the elliptic curve parameters standardized by NIST in FIPS 186-2, which are suspected by some as being back-doored by the NSA. Despite being first introduced over 17 years ago, these curve parameters remain highly prevalent, as they are central to both the TLS and SSH protocols. An overview of the history and process of their standardization will be covered, along with a discussion of the NSA’s other successful back doors in NIST’s standards (as revealed by Edward Snowden). Recent developments in new curve parameters will be shown, as will a practical guide aimed at systems administrators for disabling the suspicious curve parameters in TLS and SSH.
Joe Testa is co-founder of Positron Security, a Rochester-based computer security company, and is a current board member and treasurer of Security B-Sides Rochester Inc. (a 501©(3) charity responsible for BSidesROC). He specializes in penetration testing, exploit development, social engineering, and server & network hardening. Prior to co-founding the company, he excelled as a security researcher and vulnerability test programmer for Rapid7. Testa holds a Master of Science degree in Computer Security and Information Assurance from the Rochester Institute of Technology, along with a Bachelor of Science degree in Psychology and Computer Science from the University of Maryland at College Park. He also likes to mist things.