[146603] in cryptography@c2.net mail archive
Re: [Cryptography] tamper-evident crypto? (was: BULLRUN)
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Thu Sep 5 20:11:29 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 5 Sep 2013 20:11:08 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: John Denker <jsd@av8n.com>
In-Reply-To: <52291A36.9070608@av8n.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Thu, 05 Sep 2013 16:56:38 -0700 John Denker <jsd@av8n.com> wrote:
> > The generator can
> > be easily tested for correct behavior if it is simply a block
> > cipher.
>
> I wouldn't have said that.
>
> As Dykstra was fond of saying:
> Testing can show the presence of bugs;
> testing can never show the absence of bugs.
The point is that a deterministic generator operating off of a seed
can be validated -- you can assure yourself reasonably easily that
the thing is indeed AES in counter mode. A hardware generator can have
horrible flaws that are hard to detect without a lot of data from many
devices. (The recent break of the Taiwanese national ID card system
should be a lesson on that too.)
I will remind everyone that the key generation ceremony for the
Clipper devices used a deterministic generator for precisely this
reason even given that the keys were being escrowed. See Dorothy
Denning's old report on that for a reminder.
Perry
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
