Take Two Curves and Call Me in the Morning: The Story of the NSA’s Dual_EC_DRBG and its Implications to Health Privacy

Date:  February 13th 2014 from Noon to 1pm EST

Abstract: Over the last several months a staggering series of revelations have been reported about the wide-reaching efforts of the United States National Security Agency (NSA) to intercept digital communications. Though not surprising to learn the NSA—an intelligence organization—is spying on global targets, the apparent scale and sophistication of their capabilities have been turning heads internationally.

Last September, troubling allegations emerged suggesting the NSA influenced the National Institute of Standards and Technology (NIST) into standardizing a cryptographic primitive with a secret backdoor. If true, the backdoor would provide the NSA with a major advantage in its efforts to snoop communications through something known as the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). Although the ensuing backlash has seen the offending code yanked from most major security products, surprising details about the program continue to emerge.

In this talk we will explain why random bits are crucial to online privacy, and what you could potentially do to people whose “random” bits you can predict. We will talk about Dual_EC_DRBG, and explain how the backdoor works in general terms. Finally, we will discuss some of the implications of state-level adversaries to health privacy and offer some high-level directions for healthcare providers to pursue.

Speaker: Dr. Aleksander Essex

Biography: Aleksander Essex is an assistant professor of software engineering at Western University focusing on topics in cyber security, applied cryptography and health privacy. During his postdoc at the Children’s Hospital of Eastern Ontario Research Institute he designed secure protocols for applications in privacy preserving medical informatics. His graduate work focused on trustworthy electronic voting and was part of an international research group that ran the first cryptographically-verifiable public election in the United States. He holds a Ph.D. in Computer Science from the University of Waterloo. Contact him at aessex-at-uwo-dot-ca.

View the slides here.