[Cryptography] Checking for the inadvertent use of test keys

John Denker jsd at av8n.com
Wed Sep 2 12:34:11 EDT 2015

On 09/02/2015 12:00 AM, Peter Gutmann wrote:
> Let's say you've got some key-consuming code that's supposed to be fed random
> keys and you want to catch inadvertent use of test keys and nonces, strings
> like "012345678" and "\x01\x23\x45...", that sort of thing.  

Using the language of cryptanalysis, we can look at this as
a /dictionary attack/ ... in this case a white-hat dictionary
attack ... but in any case it boils down to populating the 
dictionary with the appropriate entries.

Existing password dictionaries were compiled largely by
observation, e.g. by stealing passwords from vulnerable
sites and adding them to the dictionary.

One could imagine doing something analogous for keys.  On
some live system(s), escrow each key for a while.  Any key 
that gets re-used within a week gets added to the dictionary;
all others get expunged.

Keep track of the hit-count for each item in the dictionary.

> things like edit distances

You could have regular expressions as entries in the dictionary,
perhaps in a separate volume of the dictionary.

More information about the cryptography mailing list