[Cryptography] [cryptography] Random number generation influenced, HW RNG
jon at callas.org
Sun Sep 8 13:41:55 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
On Sep 7, 2013, at 8:06 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
> There are basically two ways your RNG can be cooked:
> a. It generates predictable values. Any good cryptographic PRNG will do this if seeded by an attacker. Any crypto PRNG seeded with too little entropy can also do this.
> b. It leaks its internal state in its output in some encrypted way. Basically any cryptographic processing of the PRNG output is likely to clobber this.
There's also another way -- that it's a constant PRNG.
For example, take a good crypto PRNG, seed it in manufacturing, and then in its life, it just outputs from that fixed state. That fixed state might be secret or known to outsiders, but either way, it's a cooked PRNG.
Sadly, there were (are?) some hardware PRNGs on TPMs that were precisely this.
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
-----END PGP SIGNATURE-----
More information about the cryptography