Re: [TLS] RNG vs. PRNG

Steven Bellovin <smb@cs.columbia.edu> Tue, 04 May 2010 13:57 UTC

Return-Path: <smb@cs.columbia.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 891583A6BFF for <tls@core3.amsl.com>; Tue, 4 May 2010 06:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LzOI7dlkBmE for <tls@core3.amsl.com>; Tue, 4 May 2010 06:57:44 -0700 (PDT)
Received: from tarap.cc.columbia.edu (tarap.cc.columbia.edu [128.59.29.7]) by core3.amsl.com (Postfix) with ESMTP id 6839C3A6B83 for <tls@ietf.org>; Tue, 4 May 2010 06:57:43 -0700 (PDT)
Received: from [192.168.1.2] (148.sub-75-236-250.myvzw.com [75.236.250.148]) (user=smb2132 mech=PLAIN bits=0) by tarap.cc.columbia.edu (8.14.3/8.14.3) with ESMTP id o44DvRSd023137 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 4 May 2010 09:57:28 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset=us-ascii
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <20100428022226.GF10389@Sun.COM>
Date: Tue, 4 May 2010 09:10:36 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <A059CB15-9776-4711-8F79-94C6C76231B0@cs.columbia.edu>
References: <20100428005508.6F8BF3A6A6A@core3.amsl.com> <20100428022226.GF10389@Sun.COM>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
X-Mailer: Apple Mail (2.1078)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on 128.59.29.7
Cc: "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] RNG vs. PRNG
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2010 13:57:45 -0000

On Apr 27, 2010, at 10:22 26PM, Nicolas Williams wrote:

> On Tue, Apr 27, 2010 at 08:54:54PM -0400, Blumenthal, Uri - 0668 - MITLL wrote:
>> From practical point of view an important difference between RNG and
>> PRNG is that it is (in practice, realistically) impossible to
>> compromise a "true" RNG - its random output is not reproducible, and
>> there's no way to purposefully get the same sequence from it -
> 
> But there may be ways to attack the method by which the RNG works so as
> to bias it.  Whereas there's no way to do that for a PRNG.  In general
> it seems best to couple an RNG to a PRNG, using the former to seed and
> periodically replenish the entropy pool of the latter, thus removing
> biases from the RNG stream.

That's right.  Put differently, PRNGs have high behavioral assurance; if they're right, they'll continue to be right.  An RNG can be affected by the environment in all sorts of nasty analog ways.  This is one reason why in the Clipper chip design, the NSA used a PRNG to generate the unit keys.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb