[Cryptography] tamper-evident crypto? (was: BULLRUN)
Perry E. Metzger
perry at piermont.com
Thu Sep 5 20:11:08 EDT 2013
On Thu, 05 Sep 2013 16:56:38 -0700 John Denker <jsd at av8n.com> wrote:
> > The generator can
> > be easily tested for correct behavior if it is simply a block
> > cipher.
>
> I wouldn't have said that.
>
> As Dykstra was fond of saying:
> Testing can show the presence of bugs;
> testing can never show the absence of bugs.
The point is that a deterministic generator operating off of a seed
can be validated -- you can assure yourself reasonably easily that
the thing is indeed AES in counter mode. A hardware generator can have
horrible flaws that are hard to detect without a lot of data from many
devices. (The recent break of the Taiwanese national ID card system
should be a lesson on that too.)
I will remind everyone that the key generation ceremony for the
Clipper devices used a deterministic generator for precisely this
reason even given that the keys were being escrowed. See Dorothy
Denning's old report on that for a reminder.
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list