On Sep 9, 2013, at 9:17 AM, Kent Borg wrote:
>> Which brings into the light the question: Just *why* have so many random
>> number generators proved to be so weak.
>
> Your three cases left off an important one: Not bothering to seed the PRNG at
> all. I think the Java/Android cryptographic (!) library bug that just came
> up was an instance of that.
>
> I think the root of the problem is that programs are written, and bugs
> squashed, until the program works. Maybe throw some additional testing at it
> if we are being thorough, but then business pressures and boredom says ship
> it.
>
> That won't catch a PRNG that wasn't seeded, nor a hashed password that wasn't
> salted, the unprotected URL, the SQL injection path, buffer overflow, etc.
Good observations, but I think you're being too pessimistic. All the examples
you give *could* be tested - but not by "ignorant black box testing" - testing
that ignores not just what's inside the box, but the actual requirements on
what the box is supposed to produce. A non-seeded PRNG, and even one seeded
with a very small amount of entropy, will be caught by a test that runs
multiple instances of the PRNG from the system starting state and ensures that
the ensemble of first outputs (and, for good measure, the first *couple* of
outputs) has the right statistics. Similarly, a test that inserts the same
password into multiple instances of the same system in the same state can check
that the hashed versions have the right statistics. No, these can't catch
deliberate attack code which produces random-looking values that the attacker
can predict - no test can. But it will catch a broad class of common errors.
The others aren't cryptographic issues and require different approaches.
The fact that there are bad testing practices - and that those bad practices
are used all too often - doesn't mean there aren't good practices, and that
they could not be applied. Where the testing is bad because of ignorance of
what is actually important and how to test for it, learning from the failures
of the past is the way forward - which was exactly the point of "PRMG failures"
classification.
-- Jerry
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
