[147948] in cryptography@c2.net mail archive
Re: [Cryptography] What's a Plausible Attack On Random Number
daemon@ATHENA.MIT.EDU (Sandy Harris)
Fri Nov 1 15:21:49 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <52736E65.7010909@iang.org>
Date: Fri, 1 Nov 2013 14:25:39 -0400
From: Sandy Harris <sandyinchina@gmail.com>
To: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
ianG <iang@iang.org> wrote:
> Good point. The only RNG attack I can think of off-hand for which we have
> reasonable evidence is the Android Bitcoin theft [0]. Very recent. Any
> others?
http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html
> It would seem that attacking the RNG is rather esoteric.
Perhaps, but we also know that many (I think nearly all)
crypto protocols rely on random numbers so many that
are otherwise thought secure fail if the RNG does.
PGP generates a random key for each message. Use
a sufficiently bad RNG and PGP is easily breakable.
Use one with any weakness at all that the attacker
knows about and an attack on the block cipher is
cheaper than it should be.
The Diffie-Hellman key negotiation protocol used
in IPsec and other things requires that each player
generate a random number. It can be broken if
either RNG is weak.
There are other examples. The problem is not so
much that RNG attacks are known to be widespread
as that, if they do occur they can be very serious.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography