RNG quality verification
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Dec 23 10:59:58 EST 2005
Philipp =?utf-8?q?G=C3=BChring?= <pg at futureware.at> writes:
>What is wrong with the following black-box test?
>
>* Open browser
>* Go to a dummy CA's website
>* Let the browser generate a keypair through the <keygen> or cenroll.dll
>* Import the generated certificate
>* Backup the certificate together with the private key into a PKCS#12 container
>* Extract the private key from the backup
>* Extract p and q from the private key
>* Extract the random parts of p and q (strip off the first and the last bit)
>* Automate the previous steps with some GUI-Automation system
>* Concatenate all random bits from all the keypairs together
>* Do the usual statistical tests with the random bits
How would this differentiate between keygen for which the PRNG is
SHA1( get_thermal_noise() ) and one where it's SHA1( counter++ )? Or
one where it's get_constant_value() and you take the counter++ -th primes as p
and q? Or one where ...? In addition the PRNG input to the keygen process
has no bearing on the form of the primes generated, look at the IPsec DH
primes with their long strings of 1 bits for an example, they'd fail a
statistical test because they've been specially constructed to have a certain
form, but that makes them stronger, not weaker. Thus both David Wagner's and
my comments that the people asking this question/setting this requirement
don't understand the problem. So if you want a solution to something
originating at the bureaucratic layer, you need to provide the solution at the
bureaucratic layer.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list