[147840] in cryptography@c2.net mail archive
Re: [Cryptography] [RNG] on RNGs, VM state, rollback, etc.
daemon@ATHENA.MIT.EDU (John Kelsey)
Fri Oct 25 14:55:02 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <63D259F6-26FA-42E8-9E3E-7ACFBD957CFC@lrw.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Fri, 25 Oct 2013 08:12:00 -0400
To: Jerry Leichter <leichter@lrw.com>
Cc: Russ Nelson <nelson@crynwr.com>, Cryptography <cryptography@metzdowd.com>,
Peter Saint-Andre <stpeter@stpeter.im>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This gets back to the threat model discussion. If your attacker is watching you from the outside as you generate your key, then interacting with stuff over the local net won't help you much. (You may get a bit or two of entropy from the attacker not being able to know exactly which clock-tick you were on when the interrupt was serviced, but not much.). If he's not watching you then, you can rule out a whole category of attackers.
Similarly, if you have some secret value that's available to any program on your machine, an attacker who can get onto your machine later can learn that. But one who can't is just not able to guess your prng starting state.
What else can be done to rule out classes of attacker up front?
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
