[146875] in cryptography@c2.net mail archive
Re: [Cryptography] Techniques for malevolent crypto hardware
daemon@ATHENA.MIT.EDU (James A. Donald)
Sun Sep 8 23:53:56 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 09 Sep 2013 13:42:36 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
In-Reply-To: <20130908211541.557a7c5a@jabberwock.cb.piermont.com>
Reply-To: jamesd@echeque.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This is a multi-part message in MIME format.
--===============0286895679079601675==
Content-Type: multipart/alternative;
boundary="------------000004020107020100090706"
This is a multi-part message in MIME format.
--------------000004020107020100090706
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
On 2013-09-09 11:15 AM, Perry E. Metzger wrote:
> Lenstra, Heninger and others have both shown mass breaks of keys based
> on random number generator flaws in the field. Random number
> generators have been the source of a huge number of breaks over time.
>
> Perhaps you don't see the big worry, but real world experience says
> it is something everyone else should worry about anyway.
Real world experience is that there is nothing to worry about /if you do
it right/. And that it is frequently not done right.
When you screw up AES or such, your test vectors fail, your unit test
fails, so you fix it, whereas if you screw up entropy, everything
appears to work fine.
It is hard, perhaps impossible, to have test suite that makes sure that
your entropy collection works.
One can, however, have a test suite that ascertains that on any two runs
of the program, most items collected for entropy are different except
for those that are expected to be the same, and that on any run, any
item collected for entropy does make a difference.
Does your unit test check your entropy collection?
--------------000004020107020100090706
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 2013-09-09 11:15 AM, Perry E.
Metzger wrote:<br>
</div>
<blockquote
cite="mid:20130908211541.557a7c5a@jabberwock.cb.piermont.com"
type="cite">
<pre wrap="">Lenstra, Heninger and others have both shown mass breaks of keys based
on random number generator flaws in the field. Random number
generators have been the source of a huge number of breaks over time.
Perhaps you don't see the big worry, but real world experience says
it is something everyone else should worry about anyway.</pre>
</blockquote>
<br>
Real world experience is that there is nothing to worry about <i>if
you do it right</i>. And that it is frequently not done right.<br>
<br>
When you screw up AES or such, your test vectors fail, your unit
test fails, so you fix it, whereas if you screw up entropy,
everything appears to work fine.<br>
<br>
It is hard, perhaps impossible, to have test suite that makes sure
that your entropy collection works.<br>
<br>
One can, however, have a test suite that ascertains that on any two
runs of the program, most items collected for entropy are different
except for those that are expected to be the same, and that on any
run, any item collected for entropy does make a difference.<br>
<br>
Does your unit test check your entropy collection?<br>
<br>
</body>
</html>
--------------000004020107020100090706--
--===============0286895679079601675==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============0286895679079601675==--