Re: weakest link

From: Michael Amling (nospam_at_nospam.com)
Date: 08/27/04

• Next message: Joe Peschel: "Re: XOR without repeated key"
• Previous message: Geoff Sullivan: "Re: LONG overdue SIGABA correction on web site"
• In reply to: Donald Hines: "Re: weakest link"
• Next in thread: Michael Amling: "Re: weakest link"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 Aug 2004 18:38:32 GMT

Donald Hines wrote:

> Michael Amling <nospam@nospam.com> wrote in message news:<hVwXc.7872$Y94.6773@newssvr33.news.prodigy.com>...
> "Michael Amling" <nospam@nospam.com> wrote
> >Seeding an RNG from private or secret key material is not
> >good practice.
>
> Thank you for the analysis. But I'm curious about the above
> statement. Do you just mean that using a PRNG as a stream
> cipher isn't very strong, (in which case I understand)
> OR, are you stating that, assuming you are creating such
> a cipher, you don't want to seed the PRNG with the key.
> In which case I am a bit confused as to how else you
> would implement such a scheme.

   I mean that seeding a PRNG (which is being used as a PRNG) with
secret or private key material also used for some other purpose is bad
practice.

   The temptation, which I succumbed to one time years ago, is to think
"If there's anything the attacker doesn't know, it's this secret key, so
if I seed the PRNG with it, then the output will be unpredictable to the
attacker." But that's not good reasoning. If the attacker gets hold of
any of the PRNG's output, she can use it for an attack directly against
the key material.

   The case at hand was different, in that the PRNG was being used as a
stream cipher, and the key material was not used for any other purpose.
(Whether or not a PRNG makes a good stream cipher is a different question.)

--Mike Amling

• Next message: Joe Peschel: "Re: XOR without repeated key"
• Previous message: Geoff Sullivan: "Re: LONG overdue SIGABA correction on web site"
• In reply to: Donald Hines: "Re: weakest link"
• Next in thread: Michael Amling: "Re: weakest link"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: urandom sufficient for e.g. SSL? ... whole field an incredible disservice in their weasle words. ... rightly point out that /dev/urandom uses a PRNG, seeded by real randomness, ... A PRNG is quite sufficient provided that the ... IF an attacker has root on the machine in question, ... (sci.crypt) Re: Alternative rand()-algorithm? ... But you, or any competent attacker, could find out with little ... matter of iterating the shuffling algorithm through seed values. ... And each output from that PRNG will leak some of that state. ... Periodic reseeding compensates for the entropy lost in the PRNG ... (comp.lang.c) Re: Generating RSA keys from Pass Phrase ... If you have used a proper PRNG (that's not as easy as it seems, ... everybody, including the attacker). ... guessed (i.e. passwords chosen among a big enough set). ... RSA key pair generation is not very fast, ... (sci.crypt) Re: Alternative rand()-algorithm? ... > But you, or any competent attacker, could find out with little ... > matter of iterating the shuffling algorithm through seed values. ... And each output from that PRNG will leak some of that state. ... > Periodic reseeding compensates for the entropy lost in the PRNG ... (comp.lang.c) Re: Random Number Generation -----> Hardware or Software? ... > of a stream cipher on a gigabit/sec communication link. ... > Serious people won't trust the compiler's PRNG anyway. ... the broken "Reply" link at the bottom of the article. ... (comp.arch.embedded)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint