-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 7, 2013, at 8:06 PM, John Kelsey <crypto....@gmail.com> wrote:
> There are basically two ways your RNG can be cooked:
>
> a. It generates predictable values. Any good cryptographic PRNG will do
> this if seeded by an attacker. Any crypto PRNG seeded with too little
> entropy can also do this.
>
> b. It leaks its internal state in its output in some encrypted way.
> Basically any cryptographic processing of the PRNG output is likely to
> clobber this.
There's also another way -- that it's a constant PRNG.
For example, take a good crypto PRNG, seed it in manufacturing, and then in its
life, it just outputs from that fixed state. That fixed state might be secret
or known to outsiders, but either way, it's a cooked PRNG.
Sadly, there were (are?) some hardware PRNGs on TPMs that were precisely this.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSLLbjsTedWZOD3gYRAhMzAJ93/YEF8mTwdJ/ktl5SiR5IPp4DtwCeIrZh
KHVy+CIpN69GpJNlX0LiKiM=
=i4b8
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
