bram (bram@gawth.com)
Mon, 13 Jul 1998 00:15:47 -0700 (PDT)
On 13 Jul 1998, Cicero wrote:
> Bram wrote:
> >
> >xor the resust with the contents of the pool, then hash the result to get
> >the new contents of the pool.
>
> I think you can make this good method better by removing the second
> hash.
>
> Am I missing some attack you are protecting against, or other
> advantage you get, by the second hash?
There's an attack I'm worried about.
If an attacker finds out the internal state and can control the inputs to
the PRNG, then by pelting it with a whole bunch of bitstrings to
incorporate between requests for output he can cause the output to cycle.
An obscure attack requiring several breaches to already have taken place,
but since it's possible to stop it easily might as well.
Using addition modulo 2^(pool size) instead of xor is significantly
better, but I've got an attack for that as well. The same attack is much
more powerful against RSAREF. I really outta get around to writing it
up ...
> >A good way of getting random numbers out of the pool is to compute the
> >hash of it's negation and use that as the random output, then hash it's
> >non-negated value to get the new value for the pool.
I should clarify that by 'negate' I mean flip all bits, not negate modulo
2^(pool size), although the latter might be marginally better.
-Bram
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:19 ADT