[10412] in cryptography@c2.net mail archive
RE: Welome to the Internet, here's your private key
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Thu Feb 7 13:09:07 2002
Date: Thu, 7 Feb 2002 05:55:27 +1300 (NZDT)
Message-ID: <200202061655.FAA86528@ruru.cs.auckland.ac.nz>
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: ggr@qualcomm.com, yeoh@cs.wisc.edu
Cc: cryptography@wasabisystems.com, frantz@pwpconsult.com
Greg Rose <ggr@qualcomm.com> writes:
>While priming the RC4 table, I accidentally filled the data buffer instead
>(D'oh!) with consecutive byte values 0x00, 0x01, ... 0xFF, 0x00, ...
>
>This very much passes the FIPS 140 tests for randomness, despite being nothing
>like it:
A generic order-0 entropy estimator (think Huffman coder) will pass this,
because each symbol occurs with equal probability. The reason this is a
problem is because any introductory information theory text will give the
standard formula for entropy estimation (H = -sum(prob(x) * log( prob(x)))) and
users will either stop reading there or the text won't go any further. I've
seen a (fielded) crypto RNG which uses this sort of estimator, which won't
catch a whole pile of failure modes which the FIPS tests would get.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
