Re: CPRNGs and assurance...

Thu, 18 Dec 2008 13:03:13 -0800 

On Dec 17, 2008, at 3:18 PM, Perry E. Metzger wrote:


I'd like to expand on a point I made a little while ago about the
"just throw everything at it, and hope the good sources drown out the
bad ones" entropy collection strategy.

The biggest problem in security systems isn't whether you're using 128
bit or 256 bit AES keys or similar trivia. The biggest problem is the
limited ability of the human mind to understand a design. This leads
to design bugs and implementation bugs. Design and implementation
flaws are the biggest failure mode for security systems, not whether
it will take all the energy in our galaxy vs. the entire visible
universe to brute force a key.

So, if you're designing any security system, the biggest thing on your
mind has to be how to validate that the system is secure. That
requires ways to know your design was correct, and ways to know you
actually implemented your design correctly....

Excellent points.


For the particular case of random generators based on mixing multiple  
sources, I would suggest that there are some obvious - if, apparently,  
little-used - testing strategies that will eliminate the most common  
failure modes:



1.  Test the combiner.  The combiner is a deterministic function.  If  
you give it known inputs, the results will always be the same.  The  
result is supposed to depend sensitively on all the inputs, so if you  
change any input, you should get very outputs.  This kind of testing  
would have avoid the Debian fiasco.



Note that knowing you have to write such a test will also discourage  
throwing in all sorts of complexity you don't understand because "it  
can't hurt".  It can, and has.



2.  There are many tests you can apply that will detect *non*- 
randomness.  Test the *inputs* to your combiner.  If an input  
consistently fails, think about whether it's adding adding enough  
value to be worth the complexity.  If your inputs normally succeed and  
start failing ... something is wrong.



Since it's cheap to do, you might as well apply the same test to the  
output of the combiner - but don't expect to learn anything:  With any  
decent combiner, even fixed inputs should produce random-looking  
output.  So any problem detected this way is very serious.

                                                        -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com






















					Reply via email to