building a true RNG

[Peter Gutmann]

David Wagner <daw at cs.berkeley.edu> writes:

>I once wrote a short note about the relevance of this to IPSec:
>http://www.cs.berkeley.edu/~daw/my-posts/using-prngs

There's another way to avoid this problem, which is to separate the nonce RNG
and crypto RNG, so that an attacker seeing the nonce RNG output can't use it
to attack the crypto RNG.  This is done in PGP 5.x and the cryptlib RNG.  OTOH
some RNGs are used in exactly the opposite manner, generating alternate public
and private random quantities, which make it possible to use one to infer
information about the other.  Examples are generators used with SSL and ssh,
which both alternate from public nonces to private session keys and back.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com