CSPRNG stuff

New Message Reply About this list Date view Thread view Subject view Author view

bram (bram@gawth.com)
Mon, 1 Feb 1999 14:42:44 -0800 (PST)


On Sun, 31 Jan 1999, David R. Conrad wrote:

> On Thu, 28 Jan 1999, bram wrote:
>
> > There's a more subtle problem of what to do when your counterparty doesn't
> > trust you to have a good source of entropy. That problem can be fixed by
> > having certificates from third parties saying 'I gave some random bits to
> > party x at time y using his public key'. The exact details of what sets of
> > such certificates are acceptable to begin a session are, of course, an
> > implementation problem, but a very non-trivial one.
>
> For an online protocol, Alice and Bob both generate a random N-bit session
> key. They then exchange them (hey, they must have already had some method
> in mind to transfer the one). The N-bit session key they use is the XOR
> of the two keys they chose.
>
> As long as at least one of them had some decent entropy, they're fine.

Hmm, yes, you're right. Of course, that does influence the protocol a bit,
but it reduces the problem to (at worst) one of occasional third-party
auditing.

It's also a good idea to send over some random bits to any counterparty
you establish a secure connection with, just for good measure.

There are some more subtle things which can be added to a protocol as
well, for example a message at bootstrap saying 'I don't have any entropy,
but I trust that you do if you say so.'

I think it's a good idea for any CSPRNG to be able to say that it doesn't
have enough entropy at the moment. For example, /dev/random could be made
to encounter an I/O problem if the RNG has been unavailable for too long.

Someone mentioned that he would only really trust a peripheral as a good
RNG. I invite anyone with the technical know-how to market such things. If
they were offered for $10 or less I would unhesitatingly buy one for all
my personal machines.

In all that flame mess, I think someone asked about whether it's a good
idea to hash a whole bunch of plaintext to get some random bits. The
obvious answer is no, because that provides no defense against
continuation attacks, but that's a bit of an oversimplification.
Continuation attacks which involve intercepting, say, all the data running
through a given router and hashing it can be difficult, if not impossible,
to carry out in practice. While it would be unwise to rely completely on
something which was technically speaking only a PRNG, feeding the output
of such a thing to seed a CSPRNG can be a useful bit of redundancy in case
the source of 'true' entropy fails.

-Bram

(Who would like a good CSPRNG around just because making a kill file pipe
particularly distasteful material to /dev/random is much more poetic than
piping it to /dev/null)


New Message Reply About this list Date view Thread view Subject view Author view

 
All trademarks and copyrights are the property of their respective owners.

Other Directory Sites: SeekWonder | Directory Owners Forum

The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:25