[147928] in cryptography@c2.net mail archive
Re: [Cryptography] What's a Plausible Attack On Random Number
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Thu Oct 31 16:05:46 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <20131031185351.GA1995@order.stressinduktion.org>
Date: Thu, 31 Oct 2013 15:15:43 -0400
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Oct 31, 2013, at 2:53 PM, Hannes Frederic Sowa <hannes@stressinduktion.org> wrote:
> Are we talking about real world operating systems?
No. As you say, they already come with their own random sources, and everyone argues about how good they are. So I'm positing a system modified to use a particular RNG approach that "everyone knows" doesn't work, and then asking "OK, we all believe this isn't good enough - can we construct a plausible attack?"
> So only depending on the network to gather entropy from the network
> does not sound that good
Yes, but can we construct a plausible attack?
> (given you only used static data to initialize
> the entropy pool). I guess you need a bootstrap procedure for the DC to
> make sure the application on the first machine powered on does not have
> weaker random keys.
For the first ten machines I bring up - just after the company founding party - I and my partners toss coins to provide the seed entropy. Or for a more spectacular send-off, we go to the bank, get a pile of a hundred or so bills in multiple currencies, pull a couple per system out of a hat, enter their serial numbers as the seeds, then burn all the bills and stir the ashes. :-)
(And then go to jail for destroying US currency?)
After that, everything proceeds as I outlined.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
