[149069] in cryptography@c2.net mail archive
Re: [Cryptography] [cryptography] Boing Boing pushing an RSA
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed Jan 15 23:51:40 2014
X-Original-To: cryptography@metzdowd.com
Date: Wed, 15 Jan 2014 17:11:31 -0800
To: Cryptography <cryptography@metzdowd.com>,cryptography@randombit.net
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <52D6B73F.30701@borg.org>
Cc: Steve Furlong <demonfighter@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
>On 01/15/2014 10:38 AM, Steve Furlong wrote:
>>On Wed, Jan 15, 2014 at 9:15 AM, Kent Borg
>><<mailto:kentborg@borg.org>kentborg@borg.org> wrote:
>> > OTP has always ranged from difficult to impractical to securely
>> deploy, and
>> > the larger system where OTP is used will offer targets for attack, but
>> > one-time-pads themselves are compromised??
>>
>>Compromised PRNGs.
If you have a PRNG or DRBG, compromised or not, you don't have a OTP,
you have a stream cypher of whatever quality level, subject to
mathematical attack. Maybe it's a good stream cypher, like BBS with
a seed you protected well, maybe it's the random() function in your
ROM's BASIC interpreter, maybe you're doing good tradecraft to handle
distribution and use of the pseudorandom bits or maybe you're not,
but it's not a one-time pad.
Compromised on-chip hardware randomness generators, giving you a
stream that claims to be thermal noise but is actually
DES(clock,NSAkey)? Yeah, that's something you thought was a
legitimate OTP, just like you thought the pad you generated by
flipping coins (not knowing there was a KGB Ceiling Cat Camera
Watching You) was a legitimate OTP. But for that attack you blame
Intel, not RSA.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
