[Cryptography] Techniques for malevolent crypto hardware

John Kelsey crypto.jmk at gmail.com
Sun Sep 8 18:16:45 EDT 2013

On Sep 8, 2013, at 3:55 PM, Thor Lancelot Simon <tls at rek.tjls.com> wrote:
> I also wonder -- again, not entirely my own idea, my whiteboard partner
> can speak up for himself if he wants to -- about whether we're going
> to make ourselves better or worse off by rushing to the "safety" of
> PFS ciphersuites, which, with their reliance on DH, in the absence of
> good RNGs may make it *easier* for the adversary to recover our eventual
> symmetric-cipher keys, rather than harder!

I don't think you can do anything useful in crypto without some good source of random bits.  If there is a private key somewhere (say, used for signing, or the public DH key used alongside the ephemeral one), you can combine the hash of that private key into your PRNG state.  The result is that if your entropy source is bad, you get security to someone who doesn't compromise your private key in the future, and if your entropy source is good, you get security even against someone who compromises your private key in the future (that is, you get perfect forward secrecy).

> Thor


More information about the cryptography mailing list