[Cryptography] The hypothetical random number generator backdoor

Alan Braggins alan.braggins at gmail.com
Wed Sep 25 05:17:16 EDT 2013

On 23 September 2013 01:09, Phillip Hallam-Baker <hallam at gmail.com> wrote:
> So we think there is 'some kind' of backdoor in a random number generator.
> One question is how the EC math might make that possible. Another is how
> might the door be opened.

Are you talking about http://en.wikipedia.org/wiki/Dual_EC_DRBG#Controversy
or hypothetical RNGs in general, maybe not even EC based?

> I was thinking about this and it occurred to me that it is fairly easy to
> get a public SSL server to provide a client with a session key - just ask to
> start a session.

For an RSA key exchange without ephemeral DH, the _client_ generates
the premaster secret from which the session key is derived.

However, ClientHello and ServerHello both contain random numbers sent
before key exchange. If you are intercepting traffic, you have a nonce generated
shortly before the session key generation for every key exchange, even without
starting sessions of your own.

Possibly you can use the client nonces to reduce the search space for
the session
keys (and if it's an RC4 session key, maybe the biases in RC4 help?).
(Or, if using DHE, maybe it helps find DH private keys.)

And possibly if you have server nonces based on the same PRNG seed as was
used when the RSA key was generated, you can search for the RSA key.

alan.braggins at gmail.com

More information about the cryptography mailing list