Re: [TLS] RNG vs. PRNG

Dean Anderson <dean@av8.com> Wed, 05 May 2010 01:09 UTC

Return-Path: <dean@av8.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C92AE3A697A for <tls@core3.amsl.com>; Tue, 4 May 2010 18:09:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.558
X-Spam-Level:
X-Spam-Status: No, score=-0.558 tagged_above=-999 required=5 tests=[AWL=-0.559, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQMkD4Isls8X for <tls@core3.amsl.com>; Tue, 4 May 2010 18:09:48 -0700 (PDT)
Received: from cirrus.av8.net (cirrus.av8.net [130.105.36.66]) by core3.amsl.com (Postfix) with ESMTP id 6C3D83A6954 for <tls@ietf.org>; Tue, 4 May 2010 18:09:44 -0700 (PDT)
Received: from citation2.av8.net (citation2.av8.net [130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id o4519K3V003546 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 4 May 2010 21:09:23 -0400
Date: Tue, 4 May 2010 21:09:19 -0400 (EDT)
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <A059CB15-9776-4711-8F79-94C6C76231B0@cs.columbia.edu>
Message-ID: <Pine.LNX.4.44.1005042046390.29670-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] RNG vs. PRNG
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2010 01:09:53 -0000

Inline:

On Tue, 4 May 2010, Steven Bellovin wrote:

> 
> On Apr 27, 2010, at 10:22 26PM, Nicolas Williams wrote:
> 
> > On Tue, Apr 27, 2010 at 08:54:54PM -0400, Blumenthal, Uri - 0668 - MITLL wrote:
> >> From practical point of view an important difference between RNG and
> >> PRNG is that it is (in practice, realistically) impossible to
> >> compromise a "true" RNG - its random output is not reproducible, and
> >> there's no way to purposefully get the same sequence from it -

If the RNG is truely random, it can not be biased either.  The bias is
the introduction of a non-random input; and by definition, a true RNG
has no non-random inputs. So a 'biased RNG' is just the discovery that
the device once thought to be an RNG was not one after all.

> > But there may be ways to attack the method by which the RNG works so as
> > to bias it.  Whereas there's no way to do that for a PRNG.  In general
> > it seems best to couple an RNG to a PRNG, using the former to seed and
> > periodically replenish the entropy pool of the latter, thus removing
> > biases from the RNG stream.
> 
> That's right.  Put differently, PRNGs have high behavioral assurance;
> if they're right, they'll continue to be right.  An RNG can be
> affected by the environment in all sorts of nasty analog ways.  This
> is one reason why in the Clipper chip design, the NSA used a PRNG to
> generate the unit keys.
> 
> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb


Actually, the above is precisely wrong. 

PRNG's have statistical behaviors, as I described in an earlier post.  
However, some PRNGs (with statistically good behavior) have been
successfully analyzed by various methods, most impressively (to me) by
phase space analysis.

This claim by Bellovin's is most definitely not true of PRNGs: "if
they're right, they'll continue to be right".  PRNGs that are 'right'
have been broken in the past.  PRNGs can have bitwise statistical
properties and appear hard to predict, and still be subject to (eg)
phase space analysis.

I suspect the NSA most likely used PRNG's in Clipper because PRNGs were
practical to implement whereas RNGs are not. Or perhaps it was a mistake
altogether; Recall that Clipper was broken.  
http://findarticles.com/p/articles/mi_m0CGN/is_n140/ai_20909989/

It is definitely not because PRNGs can't be biased or analyzed.  Just
look at phase space analysis for DNS servers (BIND and DJBDNS), as well
as similar cracking on the GPS PRNG 'variation' that prevents commercial
units from getting the most accurate readings.  The GPS variation is
programmed into and corrected by military units, but not commercial
units. The 'variation' feature was supposed to prevent our enemies from
getting a super-accurate position.  GPS was broken shortly after 
commercial units became widely available.

		--Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 256 5494