[Cryptography] Checking for the inadvertent use of test keys

Tom Mitchell mitch at niftyegg.com
Wed Sep 2 15:51:06 EDT 2015


On Wed, Sep 2, 2015 at 9:34 AM, John Denker <jsd at av8n.com> wrote:

> On 09/02/2015 12:00 AM, Peter Gutmann wrote:
> > Let's say you've got some key-consuming code that's supposed to be fed
> random
> > keys and you want to catch inadvertent use of test keys and nonces,
> strings
> > like "012345678" and "\x01\x23\x45...", that sort of thing.
>
> Using the language of cryptanalysis, we can look at this as
> a /dictionary attack/ ... in this case a white-hat dictionary
> attack ... but in any case it boils down to populating the
> dictionary with the appropriate entries.
>

A sorted dictionary file and some one time preprocessing to speed up
your check should work.  Some data base lookups are quicker than
a hack to speed up.

I am curious... Are you asking for a test to see if your random key
generator fails
by generating lame strings like 987654321?       I half way assume that the
keys you want are keys people might use with the omission of the darn
stupid ones.
Password cracking folk have collected and sorted real passwords and publish
the common ones to use or exclude.

But a random key input would not generate very many lame keys
if it is random, a key consuming block of code should not care.

If you are live testing and want to exclude lame yet expected keys to limit
the exposure of real account breaches filtering against these published
dictionaries is a good idea.

Live testing requires documented permission and clear directions.... there
are still tangles.  CYA.


-- 
  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150902/0b359512/attachment.html>


More information about the cryptography mailing list