[Cryptography] Elliptical Curveball
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Dec 8 05:13:54 EST 2015
>From today's Daily WTF:
http://thedailywtf.com/articles/elliptical-curveball
Everything in cryptography depends upon “high quality” random numbers, and
lots of them. People get into semi-informed flamewars about what “entropy”
means, government agencies sneak backdoors into algorithms, performance
matters, secrecy matters, and unpredictability matters. The standard which
defines four randomness generators is NIST Special Publication 800–90. One
of the four raised suspicions because it (Dual_EC_DRBG) was three times
slower than any of the others.
Joe… well, Joe sends us his own code, which “fixed” this. He made one of the
others slower. Using MySQL stored procedures. Just bear in mind, with the
below, that it’s still cleaner, more comprehensible, and generally saner
than OpenSSL.
-- prng_nistctr_sp
-- Implements the NIST SP 800-90 CTR_DRBG cryptographic random number generator standard
-- with MySQL AES_ENCRYPT() as the block cipher (256 bit seed, 128 bit output)
[...]
A PRNG implemented as MySQL stored procedures. Wow.
Peter.
More information about the cryptography
mailing list