[147284] in cryptography@c2.net mail archive
Re: [Cryptography] The hypothetical random number generator backdoor
daemon@ATHENA.MIT.EDU (Alan Braggins)
Wed Sep 25 07:03:46 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAMm+LwhBWnB7x+CCs8XSWON9qjUqE5nLebMJ1rAejvgp=LUT_A@mail.gmail.com>
Date: Wed, 25 Sep 2013 10:17:16 +0100
From: Alan Braggins <alan.braggins@gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 23 September 2013 01:09, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> So we think there is 'some kind' of backdoor in a random number generator.
> One question is how the EC math might make that possible. Another is how
> might the door be opened.
Are you talking about http://en.wikipedia.org/wiki/Dual_EC_DRBG#Controversy
or hypothetical RNGs in general, maybe not even EC based?
> I was thinking about this and it occurred to me that it is fairly easy to
> get a public SSL server to provide a client with a session key - just ask to
> start a session.
For an RSA key exchange without ephemeral DH, the _client_ generates
the premaster secret from which the session key is derived.
However, ClientHello and ServerHello both contain random numbers sent
before key exchange. If you are intercepting traffic, you have a nonce generated
shortly before the session key generation for every key exchange, even without
starting sessions of your own.
Possibly you can use the client nonces to reduce the search space for
the session
keys (and if it's an RC4 session key, maybe the biases in RC4 help?).
(Or, if using DHE, maybe it helps find DH private keys.)
And possibly if you have server nonces based on the same PRNG seed as was
used when the RSA key was generated, you can search for the RSA key.
--
alan.braggins@gmail.com
http://www.chiark.greenend.org.uk/~armb/
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
