[Cryptography] What's a Plausible Attack On Random Number Generation?

Yaron Sheffer yaronf.ietf at gmail.com
Fri Nov 1 07:04:45 EDT 2013


On 2013-11-01 06:04, John Gilmore wrote:
>> So actually the "beacon" should be done differently.  Every existing
>> system that already has access to randomness, will periodically
>> multicast some "random bits".  A newly booted system is able to see
>> this stuff (it will have to know where to look, of course).  The
>> bits themselves aren't particularly useful, but the timing
>> information should be.
>
> This is sort of like "BOOTP for RNGs".  It sounds like an interesting
> R&D project.  Deliberately relying on external inputs (even the timing
> of external inputs) invites attackers, of course.  And spraying output
> from your well-fed RNG out to the world invites a different class of
> attackers.  Which is why this is more like a multi-year research
> effort as opposed to an implement-it-and-forget-it service.
>
It sounds like a quick addition to DHCP - an extension that gets you 256 
bits from the server, would solve 99% of the problem we have with 
embedded devices. It will not be sufficient for high-security 
environments, because an attacker might be listening on the local LAN, 
but it will provide the entropy we need to initialize SSH, TLS, IPsec. 
And it is much better than relying on fixed information (MAC address 
etc.) and a few bits of timing.

Looks very much like an "implement it, standardize it and forget it" 
kind of thing to me.

Thanks,
	Yaron


More information about the cryptography mailing list