[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf_key comments (random number generation)

To: Rodney Thayer <rodney@sabletech.com>
Subject: Re: pf_key comments (random number generation)
From: John Gilmore <gnu@toad.com>
Date: Thu, 09 Jan 1997 05:48:34 -0800
cc: ipsec@tis.com, gnu@toad.com
In-reply-to: <3.0.16.19970103095702.364738dc@pop3.pn.com>
Sender: owner-ipsec@ex.tis.com

> 1. I like the idea of sending the IV down from an application.  I think
> that an application is a reasonable place to do the random number
> generation

On the PF_KEY question I'm not qualified to answer.  But the question
reminded me of a randomness issue for overall security that wasn't
addressed in RFC 1750.

In looking at the harm that can be done to cryptographic protocols
by attacking their random numbers, I have some tentative rules of thumb:

	*  Randomness should be mixed in from a variety of sources,
	   at different levels (e.g. application, kernel, hardware).

	*  This mixing must be deterministic or verifiable, so that it
	   can be detected if subverted.  For example, if software
	   feeds random values to black box hardware, and the black
	   box hardware then outputs a "mixed" random number, you have
	   no idea if the output was actually chosen to subvert the
	   process, since you couldn't see the hardware's random input
	   to the mixer before you handed it the software input to the
	   mixer.  If instead the hardware outputs a random value,
	   then SOFTWARE mixes it with other software-generated
	   values, you can at least examine that mixing software with
	   debuggers, logic analyzers, oscilloscopes and tweezers to
	   see if the mixing has been subverted.

	*  Relying on a hardware black box ALONE to generate your
	   random numbers is foolish.  Mixing the output of such a box
	   with your software random numbers probably improves them;
	   even if the box knows your software "random number" algorithm,
	   it probably can't see all the inputs to it, so it probably
	   can't reduce (subtract out) the entropy the software found.

Young and Yung did a great paper for Crypto '96 on how to subvert
protocols with bad random black-boxes (like how malicious random
number hardware could hide your RSA private-key inside your published
"random" RSA public-key, in a subliminal channel such that only those
who knew a secret could detect it).

	John

Follow-Ups:

Re: pf_key comments (random number generation)

From: Stephen Kent <kent@bbn.com>

References:

pf_key comments

From: Rodney Thayer <rodney@sabletech.com>

Prev by Date: Draft des-md5 v3
Next by Date: Re: pf_key comments (random number generation)
Prev by thread: Re: pf_key comments
Next by thread: Re: pf_key comments (random number generation)
Index(es):
- Main
- Thread