Possibly questionable security decisions in DNS root management
Greg Rose
ggr at qualcomm.com
Tue Oct 20 17:45:34 EDT 2009
On 2009 Oct 19, at 9:15 , Jack Lloyd wrote:
> On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
>
>> DSA was (designed to be) full of covert channels.
> And, for that matter, one can make DSA deterministic by choosing the k
> values to be HMAC-SHA256(key, H(m)) - this will cause the k values to
> be repeated, but only if the message itself repeats (which is fine,
> since seeing a repeated message/signature pair is harmless), or if one
> can induce collisions on HMAC with an unknown key (which seems a
> profoundly more difficult problem than breaking RSA or DSA).
Ah, but this doesn't solve the problem; a compliant implementation
would be deterministic and free of covert channels, but you can't
reveal enough information to convince someone *else* that the
implementation is compliant (short of using zero-knowledge proofs,
let's not go there). So a hardware nubbin could still leak information.
Greg.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list