Re: [dsfjdssdfsd] Remove ref to DSS RNG
Donald Eastlake <d3e3e3@gmail.com> Sat, 15 March 2014 15:42 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C14AC1A012C for <dsfjdssdfsd@ietfa.amsl.com>; Sat, 15 Mar 2014 08:42:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cPxFt5qTcAQg for <dsfjdssdfsd@ietfa.amsl.com>; Sat, 15 Mar 2014 08:42:08 -0700 (PDT)
Received: from mail-oa0-x235.google.com (mail-oa0-x235.google.com [IPv6:2607:f8b0:4003:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id 9B7D71A010C for <dsfjdssdfsd@ietf.org>; Sat, 15 Mar 2014 08:42:08 -0700 (PDT)
Received: by mail-oa0-f53.google.com with SMTP id j17so3957882oag.12 for <dsfjdssdfsd@ietf.org>; Sat, 15 Mar 2014 08:42:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jNbS5j+EwI4mqXdnbBIkX/dhZVqVpPqCTwl23q639ao=; b=Wb4RDpbA2rPsSzVPpMtz4QFFEGOHRVqRWvtvCEpIoY81LP8sLYO4onQWk+SS74C6GY tKI7EIKJFzHP06ixecQDhRu+24UXufCe74SCfrREX/VEYO60fi9LA7oqTTkdRvLUf13O X98mdv1cPAHO10fOjbVqgaxXcS1Uh6/kMPAhY9x3XsQCt/2owK+HJOtQHKMGa/4S92Bj W3GuzPOvNJs2N/zzdagbx+PdytW6W/15VJrve63FmrmOcxRr5Myk5ZbyMe1c8pB96hDt WHj93OKV8ppNOHMfQI1I0k3KtQlYXKDuq7Uon9M0WIzpu7IiCfQ6MQxvxQh6BGZxPAmn qZ7w==
MIME-Version: 1.0
X-Received: by 10.60.116.74 with SMTP id ju10mr12351740oeb.6.1394898121355; Sat, 15 Mar 2014 08:42:01 -0700 (PDT)
Received: by 10.76.23.138 with HTTP; Sat, 15 Mar 2014 08:42:01 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5C575A7@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5C575A7@XMB116CNC.rim.net>
Date: Sat, 15 Mar 2014 11:42:01 -0400
Message-ID: <CAF4+nEHU7t9BTCrvHGnPwzhiismRfFGTT7S5vyGSbtn1jYo5DQ@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/GCXXv_-PeJGm5oQkaQjNLI4F9Ys
Cc: "dsfjdssdfsd@ietf.org" <dsfjdssdfsd@ietf.org>
Subject: Re: [dsfjdssdfsd] Remove ref to DSS RNG
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 15:42:10 -0000
On 3/14/14, Dan Brown <dbrown@certicom.com> wrote: > Hi, > > I think that the RFC 4086 sequel should drop the reference in its Section > 7.2.3 to DSS RNG, or deprecate it. I agree that its use for RNG should be deprecated. However, I think the comment in RFC 4086 pointing out that DSS requires new good randomness for each signature should remain and probably the fact that, if you can control that "randomness" you can leak an entire key in two signatures, should be mentioned and linked to the recent "interesting" revelations and speculations concerning subverted RNG... Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com > The main reason, as I vaguely recall, is that it suffers from some form of > backtracking attack (found by somebody other than me). Hence X9.62-2005 > dropped this RNG.. > > > > I wonder if the following weak attack is the attack I'm trying to remember: > > > > An adversary who sees the latest output X_j and compromises the current > state XKEY_(j+1) should, ideally, not be able to distinguish X_j from a > uniformly random bit string. The idea is that current secret state reveals > nothing about past states. > > > > But in the DSS RNG, an adversary can easily confirm the match by testing > that > > > > X_j == G(t, XKEY_(j+1) - 1 - X_j) > > > > Assuming that (optional user input) == 0. > > > > Hmm, maybe I'm wrong and just missing something obvious. > > > > I think newer DRBGs, e.g. in X9.82-3 and SP 800-90A, try to resist such > attacks. > > > > Best regards, > > > > > Daniel Brown > > > Research In Motion Limited
- [dsfjdssdfsd] Remove ref to DSS RNG Dan Brown
- Re: [dsfjdssdfsd] Remove ref to DSS RNG Donald Eastlake
- Re: [dsfjdssdfsd] Remove ref to DSS RNG Donald Eastlake