Welome to the Internet, here's your private key

Arnold G. Reinhold reinhold at world.std.com
Tue Feb 5 09:37:45 EST 2002


I'd argue that the RSA and DSA situations can be made equivalent if 
the card has some persistent memory. Some high quality randomness is 
needed at RSA key generation.  For the DSA case, use 256 bits of 
randomness at initialization to seed a PRNG using AES, say. Output 
from the PRNG could be then used to provide the nonces for DSA.  For 
extra credit, PRNG seed could be xor'd periodically with whatever 
randomness is available on chip.

The resulting DSA system requires about the same randomness at 
initialization as RSA. The additional vulnerability introduced 
requires breaking AES to exploit, even if no further randomness is 
available.  All things considered, I'd trust an AES PRNG more than a 
smart card RNG whose long term quality I cannot assess. Better to use 
both, of course.

Arnold Reinhold



At 3:09 PM -0700 2/4/02, lynn.wheeler at firstdata.com wrote:
>One could claim that one of the reasons for using RSA digital signatures
>with smart cards rather than DSA or EC/DSA is the DSA & EC/DSA requirement
>for quality random number generation as part of the signature process.

...

>
>Cards with quality random numbers ... can
>
>1) do on card key-gen
>2) use DSA or EC/DSA
>3) remove dependency on external source to include random number in message
>to be signed.
>
>DSA & EC/DSA because they have a random number as parting of the signing
>process precludes duplicate signatures on the same message ... multiple
>messages with the same content & same exact signature is a replay. DSA &
>EC/DSA doing multiple signings of the same content will always result in a
>different signature value.
>
>I've heard numbers on many of the 8bit smartcards ... power-cycle the card
>each time it is asked to generate a random number .... do random number
>generation 65,000 times and look at results. For some significant
>percentage of 8bit cards it isn't unusual to find 30 percent of the random
>numbers duplicated.
>

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list