[Cryptography] Checking for the inadvertent use of test keys
John Denker
jsd at av8n.com
Wed Sep 2 12:34:11 EDT 2015
On 09/02/2015 12:00 AM, Peter Gutmann wrote:
> Let's say you've got some key-consuming code that's supposed to be fed random
> keys and you want to catch inadvertent use of test keys and nonces, strings
> like "012345678" and "\x01\x23\x45...", that sort of thing.
Using the language of cryptanalysis, we can look at this as
a /dictionary attack/ ... in this case a white-hat dictionary
attack ... but in any case it boils down to populating the
dictionary with the appropriate entries.
Existing password dictionaries were compiled largely by
observation, e.g. by stealing passwords from vulnerable
sites and adding them to the dictionary.
One could imagine doing something analogous for keys. On
some live system(s), escrow each key for a while. Any key
that gets re-used within a week gets added to the dictionary;
all others get expunged.
Keep track of the hit-count for each item in the dictionary.
> things like edit distances
You could have regular expressions as entries in the dictionary,
perhaps in a separate volume of the dictionary.
More information about the cryptography
mailing list