[3465] in cryptography@c2.net mail archive
Re: IP: State Govt Will Use Datakey Smart Cards
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Wed Oct 14 11:57:42 1998
In-Reply-To: <005e01bdf639$e42f0f20$88004bca@home>
Date: Wed, 14 Oct 1998 11:45:51 +0100
To: "Enzo Michelangeli" <em@who.net>, <cryptography@c2.net>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
At 7:40 AM +0800 10/13/98, Enzo Michelangeli wrote:
. . .
>
>I know, but when it comes to cryptography I trust air and sunshine more than
>obscurity.
>
>That said, it may still be possible to get the best of both worlds - open
>design of tamper-proof devices. For example, I'd like to see a loadable
>smartcard with a well-documented design, sporting a few built-in devices
>such as a modular multiplier and a hardware-based RNG. Then, the firmware
>comprising the crypto algorithms could be separately developed and subjected
>to public review; this would also ease export-control problems, as RNG's and
>multipliers are not, per se, cryptographic equipment.
>
The problem is the "hardware-based RNG." Without reverse engineering the
smart card, it is hard to distinguish a fair RNG from one that is rigged to
generate sequences with a much smaller entropy. One approach might be to
have a completely deterministic smart card with no random number generator
at all. Here is how that might work.
One of my pet ideas is generating public/private key pairs directly from a
passphrase. All one needs to do is transform the passphrase to a binary
number, possibly using a hash function like SHA, and then add that number
to some base number to create a starting point for the prime search
algorithm. Use a different hash value, say after permuting the passphrase,
to start looking for the second prime. Now this approach is probably not
suited for mass audiences who cannot be depended on to use strong
passphrases, but it does have some interesting properties, including the
ability for someone to "memorize" their private key.
Now suppose a smart card used this method to generate public/private key
pairs with an algorithm that was published. It would be a simple matter to
audit the cards: Just generate some keys and see if the public keys match
what the published algorithm produces for the same passphrase. If the
passphrase is generated completely randomly, e.g. using dice (see
http://www.hayom.com/diceware.html), and if it is long enough, the
resulting key pair will be as strong as any generated by a fair RNG.
There is some security exposure while the passphrase is being loaded into
the smart card. But this is a one time event and can be safeguarded in a
number of ways. One way is to enter dice rolls directly using a key pad
built onto the smart card itself. Fifty dice roll results (or ten groups
of five dice results) would have to be entered to get 128-bit entropy.
Again, this approach may be too clumsy for mass market use, but it does
allow use of smart cards without having to trust the smart card vendor.
Paranoia is a healthy attitude when it come to security.
Arnold Reinhold
