[Cryptography] What's a Plausible Attack On Random Number Generation?

John Denker jsd at av8n.com
Fri Nov 1 20:00:09 EDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2013 04:08 PM, Nico Williams wrote:
> 
> It's a bug that ssh to localhost:22 is not special.

<scenario>
 Here's a hypothetical scenario for you to consider.:

 Some guy dresses up in sackcloth and ashes and goes to the SSH 
 developers and says:
   (a) We've done everything humanly possible, and there's just 
     no way the RNG can produce stuff good enough for cutting
     SSH host keys.
   (b) Therefore you need to treat "ssh localhost" as a special case.
   (c) This is a bug in SSH.

 At this point the SSH guys say 
   "We'd love to help you out.  Which way did you come in?"

  And then our guy goes around to the developers of every other
  app that uses random numbers.  And also to the kernel developers,
  since the kernel is a major consumer of PRNG bits ... some of 
  which go for trivial purposes, but some for utterly nontrivial
  purposes.
</scenario>

If *you* want to take that approach, be my guest ... but I'm not
gonna do it.  It's not my style to blame the user.  Also, I don't
believe a single thing (a) through (c) that the guy said.

On 11/01/2013 04:06 PM, Glenn Willen wrote:

> Honestly, how much would it hurt to do the same thing in the general
> case? Let ssh generate a host key on first boot, then once the
> entropy pool fills, throw the key away and generate a new permanent
> key?

That would hurt a lot.  I would consider it a crock.  It requires 
SSH to know waaay too much about the PRNG.  Throwing away host keys 
also means selectively editing who-knows-how-many known_host files.

Most of all, SSH is merely one representative of a large class 
of applications that use PRNG bits.  Messing with the applications 
is the hard way to solve the problem.

It would be far easier to construct a PRNG that just ... ahem ...
puts out randomly-distributed numbers.  Easier to build, easier to 
test, easier to trust, easier to document, easier to use, easier 
to maintain ......

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIVAwUBUnRAifO9SFghczXtAQIfFhAAj1/1JDSXyErfbiU1oY3FArFvJRtY/gdJ
Bd2QvMVJ6pg7VPUEiZ4MvAqGaf8GOaWrUJ3+MnTsyvBOs+c4/nQEbXx00a35Z7JB
k59yhjjzYW2qgBfsSGagaNsApFX3XS8kA+/HI/LcSU0QdQjSGTvJAmuGvpWKwXbw
aCU88jdjCyNOZCTvNyjqcFCn9xvUonP+PTF3DcmvmcuquQ6VxTC4LvINz8roty9x
79p2Xr2wjAe342o1tq3uIvKh8kd858V+IlieECyKQYrIHPeIOMjBI4gx1ZGXKFKp
rm6KGO9piwZwC3yJ0ghxoKYEI60tptEtofCYRqgKwGlNmAklfKwBdzJmdT7m3z3Y
iiI/0/GakhkJZ4t5T42uI/GPir3PzGoWGrx6zeuC+x/x3XQEDHVAUIfKExP9a89K
BKoXxIEhvtzRivWJmkjvj9F19rmM+OyFL9p2VZHSQr51vnDQzdHnHmws2iFdN6/V
RZIRDVQjdYOX38/Q/gHNb0/YZ+JQOecNKyxTNoUGmCS7pmu96uhyZSoaFFHYT9xu
rtyEjY91V1XzoMScP1FCYSmXAqSENuPC2fTJVbxcemBHeYL8W60IQmx7ooHBW/wa
kM6t6SVGzaqQQ5DyWQYwwgqU/pDCUHfHtmmLa1tt6531dWfNz0/evQzyRkNxQ8U5
5YapPAu1L7o=
=Fcwg
-----END PGP SIGNATURE-----

More information about the cryptography mailing list