CPRNGs are still an issue.

Perry E. Metzger perry at piermont.com
Wed Dec 17 15:02:54 EST 2008

Jerry Leichter <leichter at lrw.com> writes:
> SSD's are complicated devices.

Complexity makes it hard to understand the security characteristics of
relying on the timing of the devices.

> So ... use with extreme caution.  Estimate conservatively.  Mix any
> apparent entropy you get with other sources.

The longer I'm in this field, the more the phrase "use with extreme
caution" seems to mean "don't use" to me. More and more, I think that
if you don't have a really good way to test and get assurance about a
component of your security architecture, you should leave that
component out.

That's one reason I recommended "just use AES in counter mode" as the
best way to generate random numbers in a low cost embedded context --
it is easy to get assurance simply by running AES validation tests,
and you confine your risk to one easily examined part of the process,
the key generator in the factory.

I'm reminded of Tony Hoare's old saw about systems: "There are two
ways of constructing a software design: One way is to make it so
simple there are obviously no deficiencies and the other way is to
make it so complicated that there are no obvious deficiencies."


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list