Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets

Arnold Reinhold <> Sun, 16 March 2014 15:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 81F7E1A01E9 for <>; Sun, 16 Mar 2014 08:18:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.501
X-Spam-Status: No, score=-2.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Gquj9cvRKb2A for <>; Sun, 16 Mar 2014 08:18:50 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 79B481A02F4 for <>; Sun, 16 Mar 2014 08:18:49 -0700 (PDT)
MIME-version: 1.0
Content-type: text/plain; charset="iso-8859-1"
Received: from arnoldsacbook15.home ( []) by (Oracle Communications Messaging Server 7u4-27.08( 64bit (built Aug 22 2013)) with ESMTPSA id <> for; Sun, 16 Mar 2014 15:18:32 +0000 (GMT)
From: Arnold Reinhold <>
X-Priority: 3 (Normal)
In-reply-to: <>
Date: Sun, 16 Mar 2014 11:18:29 -0400
Content-transfer-encoding: quoted-printable
Message-id: <>
References: <> <> <> <>
To: Krisztián Pintér <>
X-Mailer: Apple Mail (2.1874)
x-icloud-spam-score: 34444444;; is=no; ir=yes; pp=ham; spf=n/a; dkim=n/a; dmarc=n/a; wl=n/a; pwl=n/a; clxs=n/a; clxl=n/a
X-CLX-Spam: false
X-CLX-Score: 1011
Subject: Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 16 Mar 2014 15:18:52 -0000

On Mar 15, 2014, at 11:50 AM, Krisztián Pintér <> wrote:

> Arnold Reinhold (at Friday, March 14, 2014, 5:20:56 PM):
>> Here are some scenarios where recovery from a state compromise would be important:
>> o A bug in system software that exposes PRNG state only rarely
>> o An attack that that exposes PRNG state in a system that is well
>> guarded against covert channels, limiting undetected outbound messages to very low bit rate
> [...]
> and these are the attacks about which djb says: your system is broken.
> don't patch it, fix it. if such attacks could be carried out, session
> keys or long term keys might have been compromised. recovering your
> prng won't help that, the damage has been done.
> it is not the way to reduce the chance of any attack by a small
> factor, let the factor be a 100, or even a million, it is still small.
> what we want is systems that are reliable and safe. and if our system
> is safe, we don't need reseeding.

I am not aware of anyone who even claims to have a system that is "safe", as in free from any security bugs, much less one that remains safe from bugs being added as new software is developed and other bugs are fixed. 

And note that not all the issues I raised are software related. Tempest, for example, is a very tricky business. The NSA specs for Tempest protection are not publicly available, but I have been told they require tight physical configuration control, as even a single wire change can destroy Tempest protection.  Perhaps the best that can be achieved is to keep any attacker a safe distance from critical systems. A determined attacker might be willing to absorb the effort and risk to covertly penetrate physical security barriers if doing so will lead to a permanent compromise of a one-time-seeded PRNG, less so if the benefits will last only briefly as the PRNG reseeds after they leave.

We now have something we never had before, an apparently thorough rigorous analysis of the reseeding issue. Of course, time should be allowed for responses and critiques to the Dodis paper to emerge, but planning new security guidelines that ignore this work seems foolhardy.

Arnold Reinhold