[Cryptography] The hypothetical random number generator backdoor
Phillip Hallam-Baker
hallam at gmail.com
Tue Sep 24 19:53:34 EDT 2013
On Tue, Sep 24, 2013 at 10:59 AM, Jerry Leichter <leichter at lrw.com> wrote:
> On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker <hallam at gmail.com>
> wrote:
> > I was thinking about this and it occurred to me that it is fairly easy
> to get a public SSL server to provide a client with a session key - just
> ask to start a session.
> >
> > Which suggests that maybe the backdoor [for an NSA-spiked random number
> generator] is of the form that ... you get a lot of nonces [maybe just one]
> from the random number generator ... and that allows the [next one to be
> predicted more easily or even the] seed to be unearthed. One simple way
> [to stop this] would be to encrypt the nonces from the RNG under a secret
> key generated in some other fashion.
> >
> > nonce = E (R, k)
> >
> > Or hashing the RNG output and XORing with it
> >
> > nonce = R XOR H(R)
> You shifted from "random value" to "nonce". Given the severe effects on
> security that using a "nonce" - a value that is simply never repeated in a
> given cryptographic context; it may be predictable, even fixed - to a
> "random value", one needs to be careful about the language. (There's
> another layer as well, partly captured by "unpredictable value" but not
> really: Is it a value that we must plan on the adversary learning at some
> point, even though he couldn't predict it up front, or must it remain
> secret? The random values in PFS are only effective in providing forward
> security if they remain secret forever.)
>
> Anyway, everything you are talking about here is *supposed* to be a random
> value. Using E(R,k) is a slightly complicated way of using a standard
> PRNG: The output of a block cipher in counter mode. Given (a) the
> security of the encryption under standard assumptions; (b) the secrecy and
> randomness of k; the result is a good PRNG. (In fact, this is pretty much
> exactly one of the Indistinguishability assumptions. There are subtly
> different forms of those around, but typically the randomness of input is
> irrelevant - these are semantic security assumptions so knowing something
> about the input can't help you.) Putting R in there can't hurt, and if the
> way you got R really is random then even if k leaks or E turns out to be
> weak, you're still safe. However ... where does k come from? To be able
> to use any of the properties of E, k itself must be chosen at random. If
> you use the same generator as way use to find R, it's not clear that this
> is much stronger than R itself. If you have some assured way of getting a
> random k - why not use it for R itself? (This might be worth it if you can
> generate a k you believe in but only at a much lower rate than you can
> generate an R directly. Then you can "stretch" k over a number of R
> values. But I'd really think long and hard about what you're assuming
> about the various components.)
>
> BTW, one thing you *must not* do is have k and the session key relate to
> each other in any simple way.
>
> For hash and XOR ... no standard property of any hash function tells you
> anything about the properties of R XOR H(R). Granted, for the hash
> functions we generally use, it probably has about the same properties; but
> it won't have any more than that. (If you look at the structure of classic
> iterated hashes, the last thing H did was compute S = S + R(S), where S was
> the internal state and R was the round function. Since R is usually
> invertible, this is the only step that actually makes the whole thing
> non-invertible. Your more-or-less repetition of the same operation
> probably neither helps more hinders.)
>
> At least if we assume the standard properties, it's hard to get R from
> H(R) - but an attacker in a position to try a large but (to him) tractable
> number of guesses for R can readily check them all. Using R XOR H(R) makes
> it no harder for him to try that brute force search. I much prefer the
> encryption approach.
>
There are three ways a RNG can fail
1) Insufficient randomness in the input
2) Losing randomness as a result of the random transformation
3) Leaking bits through an intentional or unintentional side channel
What I was concerned about in the above was (3).
I prefer the hashing approaches. While it is possible that there is a
matched set of weaknesses, I find that implausible.
--
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130924/f339bd6b/attachment.html>
More information about the cryptography
mailing list