[Cryptography] Mac OS 10.7.5 Random Numbers

Bill Frantz frantz at pwpconsult.com
Tue Feb 4 14:03:26 EST 2014 

On 2/3/14 at 8:24 AM, crypto.jmk at gmail.com (John Kelsey) wrote:

>On Feb 3, 2014, at 12:44 AM, Bill Frantz <frantz at pwpconsult.com> quoted Apple source:
>>> On 2/2/14 at 9:34 PM, agr at me.com (Arnold Reinhold) wrote:
>>>   "THIS FILE IS NEEDED TO PASS FIPS ACCEPTANCE FOR THE 
>>>RANDOM NUMBER GENERATOR.
>>> IF YOU ALTER IT IN ANY WAY, WE WILL NEED TO GO THOUGH FIPS ACCEPTANCE AGAIN,
>>> AN OPERATION THAT IS VERY EXPENSIVE AND TIME CONSUMING. IN OTHER WORDS,
>>> DON'T MESS WITH THIS FILE."
>>>
>>
>>Adding yet more evidence that FIPS standards work against improved security. I wonder how much
>>NSA advice had to do with this situation.
>
>What attack do you think is made practical by having only a 
>160-bit PRNG state, instead of a 256-bit state?

I admit that 15 years ago, when I designed the E language 
communication protocol random source, I was concerned about the 
160 bit internal state of the Java SecureRandom object. I can't 
remember my code too well and am having difficulty reading it 
from the server, but I kept a somewhat larger pool.

I know of no such attack, but as a programmer, if I see such a 
comment in a piece of code after an attack is found, it is a red 
flag saying, "Don't fix it! Live with it!"

A number of people on this list have suggested combining NIST 
approved randomness with other sources because they don't trust 
the NIST sources. The cost of certification is an important 
reason they aren't suggesting improving the NIST standards.

As a side question, how much does compliance certification cost?


On 2/3/14 at 1:00 PM, leichter at lrw.com (Jerry Leichter) wrote:

>Now, if you say "a one-way hash with all the properties of 
>SHA-1 but with a longer intermediate state and output block 
>size", well, that's kind of saying what you want - but not in a 
>way that's actually useful unless you can pin down just what 
>"all the properties of SHA-1" might mean.

What exactly do we want in Yarrow? What are the characteristics 
of the mix function that are important. Why do we think, and I 
indeed do think, that crypto hashes are good mix functions.


>But we have enough trouble doing meaningful approvals for single implementations today that I don't see this [standardized, configurable modules] happening soon.

Given the results of code security review experiments I have 
seen, they do not catch deliberately inserted loopholes. Period. 
Proofs of correctness have their own problems. Too bad thats all 
we have.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | Truth and love must prevail  | Periwinkle
(408)356-8506      | over lies and hate.          | 16345 
Englewood Ave
www.pwpconsult.com |               - Vaclav Havel | Los Gatos, 
CA 95032

More information about the cryptography mailing list