[Cryptography] Mac OS 10.7.5 Random Numbers
frantz at pwpconsult.com
Tue Feb 4 14:03:26 EST 2014
On 2/3/14 at 8:24 AM, crypto.jmk at gmail.com (John Kelsey) wrote:
>On Feb 3, 2014, at 12:44 AM, Bill Frantz <frantz at pwpconsult.com> quoted Apple source:
>>> On 2/2/14 at 9:34 PM, agr at me.com (Arnold Reinhold) wrote:
>>> "THIS FILE IS NEEDED TO PASS FIPS ACCEPTANCE FOR THE
>>>RANDOM NUMBER GENERATOR.
>>> IF YOU ALTER IT IN ANY WAY, WE WILL NEED TO GO THOUGH FIPS ACCEPTANCE AGAIN,
>>> AN OPERATION THAT IS VERY EXPENSIVE AND TIME CONSUMING. IN OTHER WORDS,
>>> DON'T MESS WITH THIS FILE."
>>Adding yet more evidence that FIPS standards work against improved security. I wonder how much
>>NSA advice had to do with this situation.
>What attack do you think is made practical by having only a
>160-bit PRNG state, instead of a 256-bit state?
I admit that 15 years ago, when I designed the E language
communication protocol random source, I was concerned about the
160 bit internal state of the Java SecureRandom object. I can't
remember my code too well and am having difficulty reading it
from the server, but I kept a somewhat larger pool.
I know of no such attack, but as a programmer, if I see such a
comment in a piece of code after an attack is found, it is a red
flag saying, "Don't fix it! Live with it!"
A number of people on this list have suggested combining NIST
approved randomness with other sources because they don't trust
the NIST sources. The cost of certification is an important
reason they aren't suggesting improving the NIST standards.
As a side question, how much does compliance certification cost?
On 2/3/14 at 1:00 PM, leichter at lrw.com (Jerry Leichter) wrote:
>Now, if you say "a one-way hash with all the properties of
>SHA-1 but with a longer intermediate state and output block
>size", well, that's kind of saying what you want - but not in a
>way that's actually useful unless you can pin down just what
>"all the properties of SHA-1" might mean.
What exactly do we want in Yarrow? What are the characteristics
of the mix function that are important. Why do we think, and I
indeed do think, that crypto hashes are good mix functions.
>But we have enough trouble doing meaningful approvals for single implementations today that I don't see this [standardized, configurable modules] happening soon.
Given the results of code security review experiments I have
seen, they do not catch deliberately inserted loopholes. Period.
Proofs of correctness have their own problems. Too bad thats all
Cheers - Bill
Bill Frantz | Truth and love must prevail | Periwinkle
(408)356-8506 | over lies and hate. | 16345
www.pwpconsult.com | - Vaclav Havel | Los Gatos,
More information about the cryptography