[Cryptography] Techniques for malevolent crypto hardware

Jerry Leichter leichter at lrw.com
Tue Sep 10 06:42:12 EDT 2013

On Sep 9, 2013, at 9:17 AM, Kent Borg wrote:
>> Which brings into the light the question:  Just *why* have so many random number generators proved to be so weak.
> Your three cases left off an important one: Not bothering to seed the PRNG at all.  I think the Java/Android cryptographic (!) library bug that just came up was an instance of that.
> I think the root of the problem is that programs are written, and bugs squashed, until the program works. Maybe throw some additional testing at it if we are being thorough, but then business pressures and boredom says ship it.
> That won't catch a PRNG that wasn't seeded, nor a hashed password that wasn't salted, the unprotected URL, the SQL injection path, buffer overflow, etc.
Good observations, but I think you're being too pessimistic.  All the examples you give *could* be tested - but not by "ignorant black box testing" - testing that ignores not just what's inside the box, but the actual requirements on what the box is supposed to produce.  A non-seeded PRNG, and even one seeded with a very small amount of entropy, will be caught by a test that runs multiple instances of the PRNG from the system starting state and ensures that the ensemble of first outputs (and, for good measure, the first *couple* of outputs) has the right statistics.  Similarly, a test that inserts the same password into multiple instances of the same system in the same state can check that the hashed versions have the right statistics.  No, these can't catch deliberate attack code which produces random-looking values that the attacker can predict - no test can.  But it will catch a broad class of common errors.

The others aren't cryptographic issues and require different approaches.

The fact that there are bad testing practices - and that those bad practices are used all too often - doesn't mean there aren't good practices, and that they could not be applied.  Where the testing is bad because of ignorance of what is actually important and how to test for it, learning from the failures of the past is the way forward - which was exactly the point of "PRMG failures" classification.
                                                        -- Jerry

More information about the cryptography mailing list