Re: [dsfjdssdfsd] What has gone wrong with RNGs in practice

Nick Mathewson <nickm@torproject.org> Mon, 17 March 2014 16:16 UTC

Return-Path: <nick.a.mathewson@gmail.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A781A0443 for <dsfjdssdfsd@ietfa.amsl.com>; Mon, 17 Mar 2014 09:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mc60xiTBSYPr for <dsfjdssdfsd@ietfa.amsl.com>; Mon, 17 Mar 2014 09:16:32 -0700 (PDT)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) by ietfa.amsl.com (Postfix) with ESMTP id DF8E91A0431 for <dsfjdssdfsd@ietf.org>; Mon, 17 Mar 2014 09:16:31 -0700 (PDT)
Received: by mail-lb0-f170.google.com with SMTP id s7so3882737lbd.1 for <dsfjdssdfsd@ietf.org>; Mon, 17 Mar 2014 09:16:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=j2jvVZBvk2ucgOXwjK046vQdMELR5bBlNeVAhyoBnvY=; b=d87Jb1kj53LJ+t/65mPr7jhA1iDSJE/rheqd7K88qPIXs6S6AnmKixmR1HN1x8iMl2 7KH/LhxNSqi9Gk/DdzccLtl4grSuhxSzfo4Kw6ja/JbG52smZP/dflQxlJ9kIleNHzwe QhO7Uc2QJIlFi95W8uJxZVl0DI2kO/KrIwdRuUtqswUUtt3jxdY/EaPlJcRrDdak9ROA l9ZKleuCraon+EufjW5m1+qopHDcvsdkUuYnJqLnu3DlOr20sQ7FqD9KWeEwhGGzP8Md h1Twqbm6XNauB/l5Pgs3NBKDq18MSJWNPZqef8SQk6D2xseIwoC0ntvo+sP2ArGaVtBF 19+w==
MIME-Version: 1.0
X-Received: by 10.152.1.8 with SMTP id 8mr17277868lai.1.1395072983377; Mon, 17 Mar 2014 09:16:23 -0700 (PDT)
Sender: nick.a.mathewson@gmail.com
Received: by 10.112.90.5 with HTTP; Mon, 17 Mar 2014 09:16:23 -0700 (PDT)
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF5C5918A@XMB116CNC.rim.net>
References: <810C31990B57ED40B2062BA10D43FBF5C5918A@XMB116CNC.rim.net>
Date: Mon, 17 Mar 2014 12:16:23 -0400
X-Google-Sender-Auth: RcaYWpRUweIi69cy_-pF6OvOCoI
Message-ID: <CAKDKvuxCBcJmcO-=LO-53ARn5U8f5G_BZQCuaG9=BDTW7uCOpw@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: Dan Brown <dbrown@certicom.com>
Content-Type: multipart/alternative; boundary=089e012281329c2c6f04f4cfbd6f
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/kRaYJlcsuzeBKvbffhVFZylJtJ8
Cc: "dsfjdssdfsd@ietf.org" <dsfjdssdfsd@ietf.org>
Subject: Re: [dsfjdssdfsd] What has gone wrong with RNGs in practice
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 16:16:34 -0000

On Mon, Mar 17, 2014 at 10:35 AM, Dan Brown <dbrown@certicom.com> wrote:

> > EE. Bad entropy estimation
>
> >
>
> > Numerous RNGs rely on each entropy inputs being acccompanied by an
>
> > estimate of how many bits of entropy each contains. Historically,
>
> > these entropy estimates have been pretty bogus, but I'm not aware of
>
> > any attack arising out of that.
>
>
>
> Does the Goldberg--Wagner attack on the poorly seeded Netscape SSL RNG
> count here?
>

Not exactly.  I meant item "EE" to cover only cases where the RNG has an
internal variable that tracks how much entropy it has received, but this
internal variable is calculated through a dubious process.

If I'm reading [1] correctly, the Netscape SSL RNG problem was that it only
seeded with the PID, the parent PID, and the current time in microseconds.
It didn't track entropy levels at all: it just failed to use adequate
entropy.

So let's add a new category to the list:

"
J. Not even trying to use enough entropy as an input.
"

[1] http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html

-- 
Nick