[CentOS] Can we trust RedHAt encryption tools?

Mon Jan 6 19:38:16 UTC 2014
m.roth at 5-cent.us <m.roth at 5-cent.us>

Eero Volotinen wrote:
> mark wrote:
> I agree, but I just don't know how much in the way of manhours that would
>> involved.
>>
>> However, if you do get it all built, and build packages out of them,
>> there is an extras? contribs? repo, and I'd encourage you to submit it for
>> that.
>
> RHEL nowdays supports already Elliptic Curve on openssl.

Um, I guess you haven't read the news lately - the most used,
POSIX-mandated elliptic curve is backdoored by the US NSA - when the
standards committee was writing the standard, they pushed the backdoored
version.

<https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html>
>From one of the linked-two essays:
As was revealed today, the NSA also works with security product vendors to
ensure that commercial encryption products are broken in secret ways that
only it knows about. We know this has happened historically: CryptoAG and
Lotus Notes are the most public examples, and there is evidence of a back
door in Windows. A few people have told me some recent stories about their
experiences, and I plan to write about them soon. Basically, the NSA asks
companies to subtly change their products in undetectable ways: making the
random number generator less random, leaking the key somehow, adding a
common exponent to a public-key exchange protocol, and so on. If the back
door is discovered, it's explained away as a mistake. And as we now know,
the NSA has enjoyed enormous success from this program
--- end excerpt ---

<http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance>

      mark