Dueling over Dual_EC_DRGB: The Consequences of Corrupting a Cryptographic Standardization Process
The Internet presents a serious conundrum. Though well known to have security problems, the network is globally relied upon for commerce and used to control many critical systems and infrastructure. This inconsistency is partially explained by the fact that when someone says, “The Internet is insecure,” they are often not referring to the communications network, but rather the applications that run on it. But it is also true that a network itself can be insecure and nonetheless be widely used—because the network provides value and risk can be managed.
The Internet’s communications protocols—TCP/IP—do not authenticate communication senders; this allows various attacks, including Distributed Denial of Service (DDoS), and simplifies attacker intrusions into endpoint networks. The decentralized nature of Internet routing—routers on the network share routing information with their neighbors—allows packets to be routed incorrectly,[1] sometimes leading to eavesdropping on communications, theft,[2] and even shutting down important and well-known websites due to traffic diversion.[3]
A solution to many of these problems exists: cryptography. The technology, which can provide confidentiality (ensuring no one but the intended recipients can read a message), integrity (ensuring that the communication has not been altered), and authenticity (proof that the message came from an authorized source), is essential to providing security and privacy to communications protocols (e.g., https).
