[Cryptography] [cryptography] Random number generation influenced, HW RNG

Jon Callas jon at callas.org
Sun Sep 8 13:41:55 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sep 7, 2013, at 8:06 PM, John Kelsey <crypto.jmk at gmail.com> wrote:

> There are basically two ways your RNG can be cooked:
> 
> a.  It generates predictable values.  Any good cryptographic PRNG will do this if seeded by an attacker.  Any crypto PRNG seeded with too little entropy can also do this.  
> 
> b.  It leaks its internal state in its output in some encrypted way.  Basically any cryptographic processing of the PRNG output is likely to clobber this. 

There's also another way -- that it's a constant PRNG.

For example, take a good crypto PRNG, seed it in manufacturing, and then in its life, it just outputs from that fixed state. That fixed state might be secret or known to outsiders, but either way, it's a cooked PRNG.

Sadly, there were (are?) some hardware PRNGs on TPMs that were precisely this.

	Jon



-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFSLLbjsTedWZOD3gYRAhMzAJ93/YEF8mTwdJ/ktl5SiR5IPp4DtwCeIrZh
KHVy+CIpN69GpJNlX0LiKiM=
=i4b8
-----END PGP SIGNATURE-----


More information about the cryptography mailing list