[146862] in cryptography@c2.net mail archive
Re: [Cryptography] Techniques for malevolent crypto hardware
daemon@ATHENA.MIT.EDU (John Kelsey)
Sun Sep 8 18:28:36 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20130908195552.GA3793@panix.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Sun, 8 Sep 2013 18:16:45 -0400
To: Thor Lancelot Simon <tls@rek.tjls.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
"Perry E. Metzger" <perry@piermont.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 8, 2013, at 3:55 PM, Thor Lancelot Simon <tls@rek.tjls.com> wrote:
...
> I also wonder -- again, not entirely my own idea, my whiteboard partner
> can speak up for himself if he wants to -- about whether we're going
> to make ourselves better or worse off by rushing to the "safety" of
> PFS ciphersuites, which, with their reliance on DH, in the absence of
> good RNGs may make it *easier* for the adversary to recover our eventual
> symmetric-cipher keys, rather than harder!
I don't think you can do anything useful in crypto without some good source of random bits. If there is a private key somewhere (say, used for signing, or the public DH key used alongside the ephemeral one), you can combine the hash of that private key into your PRNG state. The result is that if your entropy source is bad, you get security to someone who doesn't compromise your private key in the future, and if your entropy source is good, you get security even against someone who compromises your private key in the future (that is, you get perfect forward secrecy).
> Thor
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
