[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf_key comments (random number generation)
> 1. I like the idea of sending the IV down from an application. I think
> that an application is a reasonable place to do the random number
> generation
On the PF_KEY question I'm not qualified to answer. But the question
reminded me of a randomness issue for overall security that wasn't
addressed in RFC 1750.
In looking at the harm that can be done to cryptographic protocols
by attacking their random numbers, I have some tentative rules of thumb:
* Randomness should be mixed in from a variety of sources,
at different levels (e.g. application, kernel, hardware).
* This mixing must be deterministic or verifiable, so that it
can be detected if subverted. For example, if software
feeds random values to black box hardware, and the black
box hardware then outputs a "mixed" random number, you have
no idea if the output was actually chosen to subvert the
process, since you couldn't see the hardware's random input
to the mixer before you handed it the software input to the
mixer. If instead the hardware outputs a random value,
then SOFTWARE mixes it with other software-generated
values, you can at least examine that mixing software with
debuggers, logic analyzers, oscilloscopes and tweezers to
see if the mixing has been subverted.
* Relying on a hardware black box ALONE to generate your
random numbers is foolish. Mixing the output of such a box
with your software random numbers probably improves them;
even if the box knows your software "random number" algorithm,
it probably can't see all the inputs to it, so it probably
can't reduce (subtract out) the entropy the software found.
Young and Yung did a great paper for Crypto '96 on how to subvert
protocols with bad random black-boxes (like how malicious random
number hardware could hide your RSA private-key inside your published
"random" RSA public-key, in a subliminal channel such that only those
who knew a secret could detect it).
John
Follow-Ups:
References: