tech-crypto archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Patch: new random pseudodevice
On Fri, 09 Dec 2011, Thor Lancelot Simon wrote:
An attacker who can break AES might be able to predict
the future output of _one_ instance of the generator. An
attacker who can break AES and recover the key and defeat the
backtracking resistance designed into CTR_DRBG *might* be able
to recover the prior outputs of the generator for that user.
An attacker who can do all these things *and* recover earlier
entropy-pool output from later entropy-pool output (that is, do
exactly what would have had to be done to break the old design)
can recover keys provided by the generator to other users. If
he happens to know when exactly they were produced (time is an
input to the algorithm), etc.
Fair enough, but you still seem to be talking about how good a
CSPRNG it is, whereas my concern is that it's pseudorandom, nor
random.
How many different bit streams of length 2^31 can be produced by
a generator that has a 128-bit key? I think it's 2^128 different
pseudorandom bit streams of length 2^31. If they were truly
random, then there would be 2^(2^31) of them.
I still think it's not appropriate for /dev/random to output
pseudorandom bits (even cryptographically secure pseudorandom
bits) when it has historically output random bits (or at least
attempted to output random bits, modulo bugs, design mistakes,
etc.).
--apb (Alan Barrett)
Home |
Main Index |
Thread Index |
Old Index