CPRNGs and assurance...
Jerry Leichter
leichter at lrw.com
Wed Dec 17 17:03:46 EST 2008
On Dec 17, 2008, at 3:18 PM, Perry E. Metzger wrote:
>
> I'd like to expand on a point I made a little while ago about the
> "just throw everything at it, and hope the good sources drown out the
> bad ones" entropy collection strategy.
>
> The biggest problem in security systems isn't whether you're using 128
> bit or 256 bit AES keys or similar trivia. The biggest problem is the
> limited ability of the human mind to understand a design. This leads
> to design bugs and implementation bugs. Design and implementation
> flaws are the biggest failure mode for security systems, not whether
> it will take all the energy in our galaxy vs. the entire visible
> universe to brute force a key.
>
> So, if you're designing any security system, the biggest thing on your
> mind has to be how to validate that the system is secure. That
> requires ways to know your design was correct, and ways to know you
> actually implemented your design correctly....
Excellent points.
For the particular case of random generators based on mixing multiple
sources, I would suggest that there are some obvious - if, apparently,
little-used - testing strategies that will eliminate the most common
failure modes:
1. Test the combiner. The combiner is a deterministic function. If
you give it known inputs, the results will always be the same. The
result is supposed to depend sensitively on all the inputs, so if you
change any input, you should get very outputs. This kind of testing
would have avoid the Debian fiasco.
Note that knowing you have to write such a test will also discourage
throwing in all sorts of complexity you don't understand because "it
can't hurt". It can, and has.
2. There are many tests you can apply that will detect *non*-
randomness. Test the *inputs* to your combiner. If an input
consistently fails, think about whether it's adding adding enough
value to be worth the complexity. If your inputs normally succeed and
start failing ... something is wrong.
Since it's cheap to do, you might as well apply the same test to the
output of the combiner - but don't expect to learn anything: With any
decent combiner, even fixed inputs should produce random-looking
output. So any problem detected this way is very serious.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list