RNG quality verification
Philipp Gühring
pg at futureware.at
Fri Dec 23 10:09:15 EST 2005
Hi Peter,
> Easily solveable bureaucratic problems are much simpler than unsolveable
> mathematical ones.
Perhaps there is some mis-understanding, but I am getting worried that the
common conception seems to be that it is an unsolveable problem.
What is wrong with the following black-box test?
* Open browser
* Go to a dummy CA´s website
* Let the browser generate a keypair through the <keygen> or cenroll.dll
* Import the generated certificate
* Backup the certificate together with the private key into a PKCS#12
container
* Extract the private key from the backup
* Extract p and q from the private key
* Extract the random parts of p and q (strip off the first and the last bit)
* Automate the previous steps with some GUI-Automation system
* Concatenate all random bits from all the keypairs together
* Do the usual statistical tests with the random bits
Is this a valid solution, or is the question of the proper usage of random
numbers in certificate keying material really mathematically unsolveable?
(I am not a RSA specialist yet, I tried to stay away from the bit-wise details
and the mathematics, so I might be wrong)
But I would really worry, if it is mathematically impossible to attestate the
correct usage (to a certain extent, I know about the statistical limitations)
of random numbers with the software I am using to get certificates.
Best regards,
Philipp Gühring
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list