Welome to the Internet, here's your private key

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Feb 6 11:55:27 EST 2002


Greg Rose <ggr at qualcomm.com> writes:

>While priming the RC4 table, I accidentally filled the data buffer instead
>(D'oh!) with consecutive byte values 0x00, 0x01, ... 0xFF, 0x00, ...
>
>This very much passes the FIPS 140 tests for randomness, despite being nothing
>like it:

A generic order-0 entropy estimator (think Huffman coder) will pass this,
because each symbol occurs with equal probability.  The reason this is a
problem is because any introductory information theory text will give the
standard formula for entropy estimation (H = -sum(prob(x) * log( prob(x)))) and
users will either stop reading there or the text won't go any further.  I've
seen a (fielded) crypto RNG which uses this sort of estimator, which won't
catch a whole pile of failure modes which the FIPS tests would get.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list