tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Patch: new random pseudodevice



On Dec 9, 2011, at 3:15 52PM, Thor Lancelot Simon wrote:
>> 
>> (1) Strong bits suitable for direct use as things like crypto keys.
>> Using a PRNG here, even a really good one, is a major fail.
> 
> This may be your opinion, but it differs radically from the opinion of
> almost every expert in the field of which I am aware.  Notably, it differs
> from the opinons of the people who wrote the several relevant FIPS and
> X9 standards, who _require_ that cryptosystem keys be generated by an
> approved DRBG (their terminology for a CSPRNG) -- though they also
> impose minimum entropy requirements for keying the DRBG itself -- and
> of SP800-90, which explicitly discusses this issue.
> 
> I value your point of view on this.  But I value theirs, collectively,
> more.


Right.  Back in the days of the Clipper chip, Dorothy Denning posted
a statement on how the escrow keys were generated (search for
"chip programming" at http://catless.ncl.ac.uk/Risks/14.52.html).
It shocked a lot of people because it was an algorithmic method,
rather than a "true" RNG.  Denning later retracted those details,
possibly because she got some minor details wrong -- or possibly
because she got it right.  Why would NSA resort to a CSPRNG instead
of a "true" RNG?  In my opinion (and I suspect the opinion of the
folks who wrote the standards Thor mentioned, and remember that
the NIST folks who write cryptographic FIPS do talk to NSA),
a CSPRNG is more secure.  Why?  Because we *know* what it does,
all the time.  "True" RNGs are devilishly hard to get right, and
are susceptible to all sorts of environmental perturbations.  Imagine
what would happen if someone upgraded the disk to a flash disk or
one with a large flash cache....


                --Steve Bellovin, https://www.cs.columbia.edu/~smb







Home | Main Index | Thread Index | Old Index