[146840] in cryptography@c2.net mail archive
Re: [Cryptography] [cryptography] Random number generation
daemon@ATHENA.MIT.EDU (Jon Callas)
Sun Sep 8 13:44:21 2013
X-Original-To: cryptography@metzdowd.com
From: Jon Callas <jon@callas.org>
In-Reply-To: <14C49EAC-4946-405A-BF56-9E3BF7155183@gmail.com>
Date: Sun, 8 Sep 2013 10:41:55 -0700
To: John Kelsey <crypto.jmk@gmail.com>
Cc: Eugen Leitl <eugen@leitl.org>,
Cryptography List <cryptography@metzdowd.com>, Jon Callas <jon@callas.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 7, 2013, at 8:06 PM, John Kelsey <crypto.jmk@gmail.com> wrote:
> There are basically two ways your RNG can be cooked:
>
> a. It generates predictable values. Any good cryptographic PRNG will do this if seeded by an attacker. Any crypto PRNG seeded with too little entropy can also do this.
>
> b. It leaks its internal state in its output in some encrypted way. Basically any cryptographic processing of the PRNG output is likely to clobber this.
There's also another way -- that it's a constant PRNG.
For example, take a good crypto PRNG, seed it in manufacturing, and then in its life, it just outputs from that fixed state. That fixed state might be secret or known to outsiders, but either way, it's a cooked PRNG.
Sadly, there were (are?) some hardware PRNGs on TPMs that were precisely this.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSLLbjsTedWZOD3gYRAhMzAJ93/YEF8mTwdJ/ktl5SiR5IPp4DtwCeIrZh
KHVy+CIpN69GpJNlX0LiKiM=
=i4b8
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
