Randomness

[Paul Onions]

On Monday 05 May 2003 4:51 pm, Ben Laurie wrote:
> People might be interested in a paper I've written on randomness:
> http://www.apache-ssl.org/randomness.pdf. Comments, as always, are more
> than welcome.
>
> Cheers,
>
> Ben.

Interesting article, certainly gets one thinking!  One point though.  Quoting 
from the top of page 6:-

    Another question is how much state should be shared between the various
    different APIs. If one assumes the PRNG is secure, then this seems to be
    easily resolved: they can all share all the state, except insecureprng(),
    which requires less conditional entropy. Once there is sufficient entropy
    for the other APIs to start working, then even insecureprng() can share
    their state.

Can insecureprng() really share the same state as the secure PRNGs?  Since 
there is no requirement for unpredictability it would seem that an instance 
of insecureprng() that leaks the internal state is not disallowed.  So maybe 
it's possible for an adversarial process to reconstruct the internal state 
from calls to insecureprng(), and then effectively know the answers that will 
be given to the queries by other processes to the secure PRNGs (or at least 
acquire enough information to be able to restrict the search for the secure 
PRNG seeds).

I guess it all depends on the system as designed and implemented, so maybe 
some kind of (formal) model is needed to describe such a system (allowing one 
to derive its security properties from the model).

Regards,
Paul(o)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com