handling weak keys using random selection and CSPRNGs
Steven M. Bellovin
smb at cs.columbia.edu
Thu Oct 12 17:05:55 EDT 2006
On Thu, 12 Oct 2006 16:50:13 -0400 (EDT), "Leichter, Jerry"
<leichter_jerrold at emc.com> wrote:
> This suggests that,
> rather than looking for weak keys as such, it might be worth it to
> do "continuous online testing": Compute the entropy of the generated
> ciphertext, and its correlation with the plaintext, and sound an
> alarm if what you're getting looks "wrong". This might be a
> worthwhile thing to have, not just for detecting weak keys, but
> to detect all kinds of software and hardware failures. Since it's
> outside of the actual encryption datapath, a bug either fails to
> sound an alarm when it should - leaving you where you were without
> this new check - or sounds a false alarm, which unless it occurs
> too often, shouldn't be such a big deal.
>
This is a very interesting suggestion, but I suspect people need to be
cautious about false positives. MP3 and JPG files will, I think, have
similar entropy statistics to encrypted files; so will many compressed
files.
For a more substantive, less hand-wavey analysis, see
http://www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/storageint.pdf
which has actual file system entropy measurements.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list