[Cryptography] SP800-90A B & C
ianG
iang at iang.org
Mon Nov 11 08:29:06 EST 2013
On 10/11/13 23:09 PM, Watson Ladd wrote:
> On Fri, Nov 8, 2013 at 2:10 PM, David Johnston <dj at deadhat.com> wrote:
>> For those with insomnia issues, I have submitted public comments to NIST
>> against SP800-90A, B and C.
>>
>> The current comments are here:
>> http://www.davidsdesktop.com/media/sp80090/SP800-90commentsNov8th_2013.pdf
>>
>> Earlier comments on earlier drafts are here:
>> http://www.davidsdesktop.com/media/sp80090/Comments_on_first_draft_SP80090BC.pdf
>> and here:
>> http://www.davidsdesktop.com/media/sp80090/Comments_SP80090BC_Aug2011.pdf
>>
> I disagree with some of these comments, and agree with others, but I
> think it would be productive to have a broader discussion of the
> issues you raise (modulo
> editorial foibles)
>
> There are (broadly speaking) two different designs for random number
> generators. NIST is using the physics+stretch approach: A low
> bandwidth source of random bits, defined in 90B, periodically reseeds
> a pseudorandom generator as in 90A.
>
> The other design, exemplified by Yarrow, Fortuna, the Linux kernel
> randomness subsystem, and others, uses large numbers of inputs of
> unknown entropy, and attempts to distill a few bits of known entropy.
>
> I believe that we have a much better handle on the first class of
> designs from a cryptanalytic perspective then the second. In
> particular the pooling design can fail in very subtle ways if it has
> too few sources. By contrast the first approach is guaranteed by
> design to have a seed from a random process if it works.
Is guaranteed on paper, but this only works if we assume there is no
manipulation. Which is the topic de jeur.
As always, it is a trade-off which is informed by your risk analysis.
Do the risks from the threat of manipulation exceed the risks due to
complexity?
iang
More information about the cryptography
mailing list