Welome to the Internet, here's your private key
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Feb 6 11:55:27 EST 2002
Greg Rose <ggr at qualcomm.com> writes:
>While priming the RC4 table, I accidentally filled the data buffer instead
>(D'oh!) with consecutive byte values 0x00, 0x01, ... 0xFF, 0x00, ...
>
>This very much passes the FIPS 140 tests for randomness, despite being nothing
>like it:
A generic order-0 entropy estimator (think Huffman coder) will pass this,
because each symbol occurs with equal probability. The reason this is a
problem is because any introductory information theory text will give the
standard formula for entropy estimation (H = -sum(prob(x) * log( prob(x)))) and
users will either stop reading there or the text won't go any further. I've
seen a (fielded) crypto RNG which uses this sort of estimator, which won't
catch a whole pile of failure modes which the FIPS tests would get.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list