[11260] in cryptography@c2.net mail archive
Re: building a true RNG
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Wed Jul 31 11:03:20 2002
Date: Wed, 31 Jul 2002 17:07:13 +1200 (NZST)
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: daw@cs.berkeley.edu, reinhold@world.std.com
Cc: barney@tp.databus.com, cryptography@wasabisystems.com,
dahonig@cox.net, daw@mozart.cs.berkeley.edu, jsd@monmouth.com
David Wagner <daw@cs.berkeley.edu> writes:
>I once wrote a short note about the relevance of this to IPSec:
>http://www.cs.berkeley.edu/~daw/my-posts/using-prngs
There's another way to avoid this problem, which is to separate the nonce RNG
and crypto RNG, so that an attacker seeing the nonce RNG output can't use it
to attack the crypto RNG. This is done in PGP 5.x and the cryptlib RNG. OTOH
some RNGs are used in exactly the opposite manner, generating alternate public
and private random quantities, which make it possible to use one to infer
information about the other. Examples are generators used with SSL and ssh,
which both alternate from public nonces to private session keys and back.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
