[Cryptography] Techniques for malevolent crypto hardware

James A. Donald jamesd at echeque.com
Sun Sep 8 23:42:36 EDT 2013

On 2013-09-09 11:15 AM, Perry E. Metzger wrote:
> Lenstra, Heninger and others have both shown mass breaks of keys based
> on random number generator flaws in the field. Random number
> generators have been the source of a huge number of breaks over time.
> Perhaps you don't see the big worry, but real world experience says
> it is something everyone else should worry about anyway.

Real world experience is that there is nothing to worry about /if you do 
it right/.  And that it is frequently not done right.

When you screw up AES or such, your test vectors fail, your unit test 
fails, so you fix it, whereas if you screw up entropy, everything 
appears to work fine.

It is hard, perhaps impossible, to have test suite that makes sure that 
your entropy collection works.

One can, however, have a test suite that ascertains that on any two runs 
of the program, most items collected for entropy are different except 
for those that are expected to be the same, and that on any run, any 
item collected for entropy does make a difference.

Does your unit test check your entropy collection?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130909/e13384c9/attachment.html>

More information about the cryptography mailing list