[147972] in cryptography@c2.net mail archive
Re: [Cryptography] What's a Plausible Attack On Random Number
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Sun Nov 3 18:07:50 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <527469B8.9090006@echeque.com>
Date: Sun, 3 Nov 2013 11:40:05 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "James A. Donald" <jamesd@echeque.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============1252892539959995394==
Content-Type: multipart/alternative; boundary=f46d042ac0e8a3da4e04ea48733b
--f46d042ac0e8a3da4e04ea48733b
Content-Type: text/plain; charset=ISO-8859-1
Please when we are having this discussion, distinguish the two cases:
1) Generating public keypairs
2) Generating session keys
The security concerns for the two cases are completely different yet we
have seen the issue of ssh keys being used.
There is no excuse for not generating public key pairs on a machine that is
completely trusted and trustworthy and has a strong random seed and
effective means of capturing additional random input.
For session keys, I suggest that any device that is not capable of
generating a good public key pair should not be relying on its own random
seed either. So for that I would suggest that whatever process provisions
the public key or shared session key to the device also provision a random
seed to it.
When generating random numbers the device should always use multiple
sources and compliment the randomness from the random seed with other
sources. So the final random seed would be something like
R = R_1 XOR R_2 XOR R_3
Where
R_1 = randomness captured from environment
R_2 = randomness from seed embedded by manufacturer
R_3 = randomness from seed provided during provisioning.
Devices that can't generated good random keys are almost always going to be
devices that are slave to some other machine. So lets not get hung up about
how to generate good random seeds in my toaster or kettle or fridge. They
are only going to be on the net at all because I have provisioned them into
my network and granted them an access priv. I can easily provision in a
backup random seed at the same time.
--f46d042ac0e8a3da4e04ea48733b
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Please when we are having this discussion, distinguish the=
two cases:<div><br></div><div>1) Generating public keypairs</div><div>2) G=
enerating session keys</div><div><br></div><div>The security concerns for t=
he two cases are completely different yet we have seen the issue of ssh key=
s being used.</div>
<div><br></div><div>There is no excuse for not generating public key pairs =
on a machine that is completely trusted and trustworthy and has a strong ra=
ndom seed and effective means of capturing additional random input.</div>
<div><br></div><div><br></div><div>For session keys, I suggest that any dev=
ice that is not capable of generating a good public key pair should not be =
relying on its own random seed either. So for that I would suggest that wha=
tever process provisions the public key or shared session key to the device=
also provision a random seed to it.</div>
<div><br></div><div>When generating random numbers the device should always=
use multiple sources and compliment the randomness from the random seed wi=
th other sources. So the final random seed would be something like</div>
<div><br></div><div>R =3D R_1 XOR R_2 XOR R_3</div><div><br></div><div>Wher=
e</div><div><br></div><div>R_1 =3D randomness captured from environment</di=
v><div>R_2 =3D randomness from seed embedded by manufacturer</div><div>R_3 =
=3D randomness from seed provided during provisioning.</div>
<div><br></div><div>Devices that can't generated good random keys are a=
lmost always going to be devices that are slave to some other machine. So l=
ets not get hung up about how to generate good random seeds in my toaster o=
r kettle or fridge. They are only going to be on the net at all because I h=
ave provisioned them into my network and granted them an access priv. I can=
easily provision in a backup random seed at the same time.</div>
<div><br></div></div>
--f46d042ac0e8a3da4e04ea48733b--
--===============1252892539959995394==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1252892539959995394==--
