[3466] in cryptography@c2.net mail archive
Re: IP: State Govt Will Use Datakey Smart Cards
daemon@ATHENA.MIT.EDU (EKR)
Wed Oct 14 12:22:41 1998
To: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: "Enzo Michelangeli" <em@who.net>, <cryptography@c2.net>
From: EKR <ekr@rtfm.com>
Date: 14 Oct 1998 09:13:21 -0700
In-Reply-To: "Arnold G. Reinhold"'s message of "Wed, 14 Oct 1998 11:45:51 +0100"
"Arnold G. Reinhold" <reinhold@world.std.com> writes:
> At 7:40 AM +0800 10/13/98, Enzo Michelangeli wrote:
> . . .
> >
> >I know, but when it comes to cryptography I trust air and sunshine more than
> >obscurity.
> >
> >That said, it may still be possible to get the best of both worlds - open
> >design of tamper-proof devices. For example, I'd like to see a loadable
> >smartcard with a well-documented design, sporting a few built-in devices
> >such as a modular multiplier and a hardware-based RNG. Then, the firmware
> >comprising the crypto algorithms could be separately developed and subjected
> >to public review; this would also ease export-control problems, as RNG's and
> >multipliers are not, per se, cryptographic equipment.
> >
>
> The problem is the "hardware-based RNG." Without reverse engineering the
> smart card, it is hard to distinguish a fair RNG from one that is rigged to
> generate sequences with a much smaller entropy. One approach might be to
> have a completely deterministic smart card with no random number generator
> at all. Here is how that might work.
>
> One of my pet ideas is generating public/private key pairs directly from a
> passphrase. All one needs to do is transform the passphrase to a binary
> number, possibly using a hash function like SHA, and then add that number
> to some base number to create a starting point for the prime search
> algorithm. Use a different hash value, say after permuting the passphrase,
> to start looking for the second prime. Now this approach is probably not
> suited for mass audiences who cannot be depended on to use strong
> passphrases, but it does have some interesting properties, including the
> ability for someone to "memorize" their private key.
As has been widely observed, if you're using any of the discrete
log systems (DH, DSS, KEA, etc.) the primes are public and the
passphrase can be used directly as the private key.
That said, I don't consider this to be a serious problem. If the
manufaturer of your hardware has intentionally compromised it,
you're in big trouble. For instance, the hardware can leak your
key bits using whatever other random (padding, MEK, etc.) bits
it generates.
-Ekr
[Eric Rescorla ekr@rtfm.com]
