Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets
Theodore Ts'o <tytso@mit.edu> Tue, 11 March 2014 19:54 UTC
Return-Path: <tytso@thunk.org>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DE131A07CB for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 11 Mar 2014 12:54:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.338
X-Spam-Level:
X-Spam-Status: No, score=-2.338 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXVvyjGXMT88 for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 11 Mar 2014 12:54:50 -0700 (PDT)
Received: from imap.thunk.org (imap.thunk.org [IPv6:2600:3c02::f03c:91ff:fe96:be03]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8551A07C1 for <dsfjdssdfsd@ietf.org>; Tue, 11 Mar 2014 12:54:50 -0700 (PDT)
Received: from root (helo=closure.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.80) (envelope-from <tytso@thunk.org>) id 1WNSl9-0001VZ-SG; Tue, 11 Mar 2014 19:54:43 +0000
Received: by closure.thunk.org (Postfix, from userid 15806) id 3F8985812DE; Tue, 11 Mar 2014 15:54:43 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=thunk.org; s=mail; t=1394567683; bh=XHeTCLh1SA1pm1P0ql90sjNCC47wGXoKCZc4xvd7SLY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=1SCxfAbJbeNgK6g3FoIBJr5S+1MJ2CYs727UQ9OX+Tvl87uBaP+bRl6mkQ35tvmKR J34qsQJD5o2w4hIHV9SDInAmnzjmDyGTiJRHCB0oJAafxskbhnhdqe3buYXD+MKun8 uN+GZFvBEz0Y1h1qNJovJO9v5QLFiLlaLJAY+omo=
Date: Tue, 11 Mar 2014 15:54:43 -0400
From: Theodore Ts'o <tytso@mit.edu>
To: Alyssa Rowan <akr@akr.io>
Message-ID: <20140311195443.GD2190@thunk.org>
References: <531F6068.4080907@akr.io>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD"
Content-Disposition: inline
In-Reply-To: <531F6068.4080907@akr.io>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/SnG2zn9hzqmmLEpBsZV2azMRJvI
Cc: dsfjdssdfsd@ietf.org
Subject: Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 19:54:52 -0000
On Tue, Mar 11, 2014 at 07:13:44PM +0000, Alyssa Rowan wrote: > B. A 'running' state, which uses that key, holds it securely, and runs > a good deterministic random bit generator to generate as much > randomness as we need [up to some limit]. > > Specifically, djb advocates running A -then- run B (presumably, up to > some defined limit, as no DRBG is sound _ad infinitum_, then we'd have > to block and go back to A to gather another key?). I'll note that an criteria for judging RNG's which is very popular with academics who love to write papers poking (theoretical) holes into random number generators is how quickly a RNG can recover from state compromise. One of the reasons why some people love RNG's such as Fortuna and Yarrow is that it is specifically designed to recover from state compromises --- and the scheme which djb has suggested would do poorly on that particular metric. Does it matter? Well, entire virtual forests of electronic trees have been felled by people speculating on whether fast/reliable recovery from state recovery is critically important compared to other design considerations. Personally, my take is that if you can compromise the state of the RNG, you can probably far more damage, so I'm not convinced state compromise is a very high priority threat to defend against. But there are tons and tons of academic papers which are convinced that any RNG which doesn't worry about this attack is Fatally Flawed. - Ted
- [dsfjdssdfsd] Discussion: Malicious Entropy Attac… Alyssa Rowan
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… Dan Brown
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… Theodore Ts'o
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… =JeffH
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… Dan Brown
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… Arnold Reinhold
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… ianG
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… Krisztián Pintér
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… Arnold Reinhold
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… tytso
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… Arnold Reinhold
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… tytso
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… Arnold Reinhold
- Re: [dsfjdssdfsd] Discussion: Malicious Entropy A… Arnold Reinhold