[Cryptography] [cryptography] Underhanded Crypto
Ray Dillinger
bear at sonic.net
Tue Dec 2 17:38:23 EST 2014
On 12/02/2014 08:13 AM, Henry Baker wrote:
> At 10:03 PM 12/1/2014, Tom Mitchell wrote:
>> On Mon, Dec 1, 2014 at 8:59 PM, <lists at notatla.org.uk> wrote:
>> I suspect the joke has been missed.
>>
>> https://www.schneier.com/blog/archives/2008/05/random_number_b.html
>> http://www.links.org/?p=327
>
> Relying on an _uninitialized variable_ to produce randomness is perhaps even more idiotic than blaming the person who removed this line of code.
Yes. That was sort of my thought as well. Using uninitialized memory
as *input* to add to a generator that had a good amount of entropy
before you input the bytes, and which also gets lots of randomness from
other sources, isn't harmful. But relying on uninitialized memory alone,
or even mostly, to produce a good PRNG state is crayzee.
It is far better to initialize it by writing over it from /dev/random.
I've been writing PRNG's recently, but I don't want randomness to
initalize them. In fact I start out by zeroing the state buffers.
I want a key setup routine instead, so as to produce the *SAME* sequence
every time when started with the same key. It can also be an
interesting problem to make sure that key entropy is not wasted and is
spread evenly over the whole buffer. A hash function is the right way
to go to do that. Passwords generally do not have nearly the 256 bits
of entropy I want to spread over a PRNG state, so key management
(probably with keys loaded into the PRNG state by something that only
requires a password, damnit) will become important.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141202/3679510e/attachment.sig>
More information about the cryptography
mailing list