Philipp =?utf-8?q?G=C3=BChring?= <[EMAIL PROTECTED]> writes: >What is wrong with the following black-box test? > >* Open browser >* Go to a dummy CA's website >* Let the browser generate a keypair through the <keygen> or cenroll.dll >* Import the generated certificate >* Backup the certificate together with the private key into a PKCS#12 container >* Extract the private key from the backup >* Extract p and q from the private key >* Extract the random parts of p and q (strip off the first and the last bit) >* Automate the previous steps with some GUI-Automation system >* Concatenate all random bits from all the keypairs together >* Do the usual statistical tests with the random bits
How would this differentiate between keygen for which the PRNG is SHA1( get_thermal_noise() ) and one where it's SHA1( counter++ )? Or one where it's get_constant_value() and you take the counter++ -th primes as p and q? Or one where ...? In addition the PRNG input to the keygen process has no bearing on the form of the primes generated, look at the IPsec DH primes with their long strings of 1 bits for an example, they'd fail a statistical test because they've been specially constructed to have a certain form, but that makes them stronger, not weaker. Thus both David Wagner's and my comments that the people asking this question/setting this requirement don't understand the problem. So if you want a solution to something originating at the bureaucratic layer, you need to provide the solution at the bureaucratic layer. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
