[147941] in cryptography@c2.net mail archive
Re: [Cryptography] What's a Plausible Attack On Random Number
daemon@ATHENA.MIT.EDU (Yaron Sheffer)
Fri Nov 1 13:48:19 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 01 Nov 2013 13:04:45 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: John Gilmore <gnu@toad.com>, Jerry Leichter <leichter@lrw.com>
In-Reply-To: <201311010404.rA144HqQ020831@new.toad.com>
Cc: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>,
David Mercer <radix42@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 2013-11-01 06:04, John Gilmore wrote:
>> So actually the "beacon" should be done differently. Every existing
>> system that already has access to randomness, will periodically
>> multicast some "random bits". A newly booted system is able to see
>> this stuff (it will have to know where to look, of course). The
>> bits themselves aren't particularly useful, but the timing
>> information should be.
>
> This is sort of like "BOOTP for RNGs". It sounds like an interesting
> R&D project. Deliberately relying on external inputs (even the timing
> of external inputs) invites attackers, of course. And spraying output
> from your well-fed RNG out to the world invites a different class of
> attackers. Which is why this is more like a multi-year research
> effort as opposed to an implement-it-and-forget-it service.
>
It sounds like a quick addition to DHCP - an extension that gets you 256
bits from the server, would solve 99% of the problem we have with
embedded devices. It will not be sufficient for high-security
environments, because an attacker might be listening on the local LAN,
but it will provide the entropy we need to initialize SSH, TLS, IPsec.
And it is much better than relying on fixed information (MAC address
etc.) and a few bits of timing.
Looks very much like an "implement it, standardize it and forget it"
kind of thing to me.
Thanks,
Yaron
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
