Re: Initial entropy with no HWRNG

To: tech-crypto%NetBSD.org@localhost
Subject: Re: Initial entropy with no HWRNG
From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Tue, 12 May 2020 13:05:01 -0400 (EDT)

>> B1) Because they already got the binaries or the sources from us; we
>> could simply tamper those to do the wrong thing instead.
> Tampering is loud, but eavesdropping is quiet.  There is no way to do
> this that is resistant to eavesdropping without a secret on the
> client side.

Ironically, there is, from an algorithms perspective, the simplest
perhaps being Diffie-Hellmann.  (D-H is as hard as discrete log, for
passive eavesdroppers.  It's active MitM that it's not enough for.)
The irony arises because, as far as I know, all such algorithms require
randomness - or at least unpredictability to the attacker - on each
end, making this a chicken-and-egg problem.

Or is that what you meant by "a secret"?

(Admittedly, well-done MitM is quiet too, if you don't have some kind
of identity verification rolled into the exchange.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: Initial entropy with no HWRNG
  - From: Taylor R Campbell

References:
- Re: Initial entropy with no HWRNG
  - From: Taylor R Campbell

Prev by Date: Re: Initial entropy with no HWRNG
Next by Date: Re: Initial entropy with no HWRNG
Previous by Thread: Re: Initial entropy with no HWRNG
Next by Thread: Re: Initial entropy with no HWRNG
Indexes:

Home | Main Index | Thread Index | Old Index