[Cryptography] Mac OS 10.7.5 Random Numbers

[ianG]

On 3/02/14 19:24 PM, John Kelsey wrote:

> What attack do you think is made practical by having only a 160-bit PRNG state, instead of a 256-bit state?  


(Yeah, that was my thought.)

> Any validation process you come up with is going to have the same feature: once you've gotten something validated, changing it is, in general, going to mess up your validation.  Otherwise the validation means nothing, because you could get a crypto device validated using RSA2048 and SHA256, and then change it over to using RSA512 and MD5.  


Why can't validation say RSA2048 or longer, SHA1 or longer (SHAn) ?
PRNG Has 160 bit state, or more, all else held constant?

> The exact same thing holds true if, instead of a formal validation process like FIPS 140 validation or CC evaluation, you simply hire someone (or get some volunteers) to do a careful review of the architecture, cryptographic protocols and algorithms, and code of some crypto product.  Suppose you have a crypto product, and you hire some high profile, trusted people to review the code and the design from top to bottom.  Their review only really applies to the thing they reviewed.  Once you start changing the algorithms, that original review doesn't say much.  If a bunch of really smart people review Truecrypt and give it a green light, and then next year Truecrypt changes a couple of their crypto algorithms and rewrites some of their code, that review isn't very informative of the new version of Truecrypt.  
> 
> I don't know how much FIPS 140 labs reuse previous analysis when they revalidate something, but I don't see how you can change algorithms without doing some kind of revalidation, if you want that validation to mean anything at all. 


Cryptography often relies on proofs from some related property, such as
the factoring difficulty problem.  It would seem something could be done
along similr lines.

Just musing...

iang