Re: [dsfjdssdfsd] Remove ref to DSS RNG
Donald Eastlake <d3e3e3@gmail.com> Sat, 15 March 2014 15:39 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20A711A0175 for <dsfjdssdfsd@ietfa.amsl.com>; Sat, 15 Mar 2014 08:39:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YcFx5dS2uacz for <dsfjdssdfsd@ietfa.amsl.com>; Sat, 15 Mar 2014 08:39:34 -0700 (PDT)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 06A871A010C for <dsfjdssdfsd@ietf.org>; Sat, 15 Mar 2014 08:39:33 -0700 (PDT)
Received: by mail-ob0-f176.google.com with SMTP id wp18so3782828obc.7 for <dsfjdssdfsd@ietf.org>; Sat, 15 Mar 2014 08:39:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jNbS5j+EwI4mqXdnbBIkX/dhZVqVpPqCTwl23q639ao=; b=xWKSQ2ctkXWRa+slKt1nu0LpNppgL41hajAk4h1dRxaaHkeCXuc+XXDQr9GWATcfN0 umh9sSjcJPAIQ/3Vl+X2PwTkKwuUkuTP+ZH8JFP/uI+g5Rr8DJ25AzWDQojX5AfBQeqs 3tGqws9VZhr8+hAU6ENsKjzNglBvL3Knv9gTfqLVSefAD7bU/eYaP3tcI3e5FxuGT3Eh 314fo3gtZoCOrTuwMk5g+VSBZd8a9vtnZMgCOLQy2yPQDmdF2bpLgZkzCupjxTi9Vqsh 6ajLWgXSO0yku4emg6u612Gz4ztzVdoO55BxFW/qPEXqGvJ29vZ1gxMpM5sK2fE8Mf5Y eCow==
MIME-Version: 1.0
X-Received: by 10.60.157.228 with SMTP id wp4mr12507220oeb.39.1394897966824; Sat, 15 Mar 2014 08:39:26 -0700 (PDT)
Received: by 10.76.23.138 with HTTP; Sat, 15 Mar 2014 08:39:26 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5C575A7@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5C575A7@XMB116CNC.rim.net>
Date: Sat, 15 Mar 2014 11:39:26 -0400
Message-ID: <CAF4+nEGb30XCNs=z6GLyQ61h0bXzPC_-eiqv1gH81Oo=z46iyA@mail.gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/I_JkewYGnoAErFXtFFMPlnMPJQw
Cc: "dsfjdssdfsd@ietf.org" <dsfjdssdfsd@ietf.org>
Subject: Re: [dsfjdssdfsd] Remove ref to DSS RNG
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 15:39:35 -0000
On 3/14/14, Dan Brown <dbrown@certicom.com> wrote: > Hi, > > I think that the RFC 4086 sequel should drop the reference in its Section > 7.2.3 to DSS RNG, or deprecate it. I agree that its use for RNG should be deprecated. However, I think the comment in RFC 4086 pointing out that DSS requires new good randomness for each signature should remain and probably the fact that, if you can control that "randomness" you can leak an entire key in two signatures, should be mentioned and linked to the recent "interesting" revelations and speculations concerning subverted RNG... Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com > The main reason, as I vaguely recall, is that it suffers from some form of > backtracking attack (found by somebody other than me). Hence X9.62-2005 > dropped this RNG.. > > > > I wonder if the following weak attack is the attack I'm trying to remember: > > > > An adversary who sees the latest output X_j and compromises the current > state XKEY_(j+1) should, ideally, not be able to distinguish X_j from a > uniformly random bit string. The idea is that current secret state reveals > nothing about past states. > > > > But in the DSS RNG, an adversary can easily confirm the match by testing > that > > > > X_j == G(t, XKEY_(j+1) - 1 - X_j) > > > > Assuming that (optional user input) == 0. > > > > Hmm, maybe I'm wrong and just missing something obvious. > > > > I think newer DRBGs, e.g. in X9.82-3 and SP 800-90A, try to resist such > attacks. > > > > Best regards, > > > > > Daniel Brown > > > Research In Motion Limited
- [dsfjdssdfsd] Remove ref to DSS RNG Dan Brown
- Re: [dsfjdssdfsd] Remove ref to DSS RNG Donald Eastlake
- Re: [dsfjdssdfsd] Remove ref to DSS RNG Donald Eastlake