tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Patch: new random pseudodevice



On Fri, 09 Dec 2011, Thor Lancelot Simon wrote:
An attacker who can break AES might be able to predict the future output of _one_ instance of the generator. An attacker who can break AES and recover the key and defeat the backtracking resistance designed into CTR_DRBG *might* be able to recover the prior outputs of the generator for that user. An attacker who can do all these things *and* recover earlier entropy-pool output from later entropy-pool output (that is, do exactly what would have had to be done to break the old design) can recover keys provided by the generator to other users. If he happens to know when exactly they were produced (time is an input to the algorithm), etc.

Fair enough, but you still seem to be talking about how good a CSPRNG it is, whereas my concern is that it's pseudorandom, nor random.

How many different bit streams of length 2^31 can be produced by a generator that has a 128-bit key? I think it's 2^128 different pseudorandom bit streams of length 2^31. If they were truly random, then there would be 2^(2^31) of them.

I still think it's not appropriate for /dev/random to output pseudorandom bits (even cryptographically secure pseudorandom bits) when it has historically output random bits (or at least attempted to output random bits, modulo bugs, design mistakes, etc.).

--apb (Alan Barrett)


Home | Main Index | Thread Index | Old Index