Le 06/01/2014 17:29, Emmanuel Dreyfus a écrit :
On Mon, Jan 06, 2014 at 05:24:00PM +0100, Jean-Yves Migeon wrote:I don't think it is possible; key parameters do not keep information about the state they were created in. The system is weak not because the key is invalid but rather because an attacker has fewer states to test before being successful.But that assumes the attacker knows how the random generator was skewed,dosn't it?
Yes. The attacker "guesses" the values by knowing that the OS is in its early boot stage, with almost empty entropy pools and without external events used to fill them up. The range of accessible values is limited, so start with those first.
This of course requires good knowledge of the OS and its PRNG and the way it boots.
And if the attacker can test it remotely, we should be able totest it locally with access to the private key, or am I missing something?
I do not understand that part -- what do you mean? Collecting entropy information through side channels like TCP ack/seq numbers, SYN cookies, ... ?
-- Jean-Yves Migeon