On 13 July 2013 07:32, Peter Gutmann <[email protected]> wrote:
> William Yager <[email protected]> writes: > > >no cryptographer ever got hurt by being too paranoid, and not trusting > your > >hardware is a great place to start. > > And while you're lying awake at night worrying whether the Men in Black > have > backdoored the CPU in your laptop, you're missing the fact that the > software > that's using the random numbers has 36 different buffer overflows, of > which 27 > are remote-exploitable, and the crypto uses an RSA exponent of 1 and > AES-CTR > with a fixed IV. > Hmmm. The problem with flawed sources of randomness is their effects can be somewhat more pervasive than a single vulnerable host or vulnerable piece of software. Remember when Debian's OpenSSL implementation had been accidentally mangled causing the PRNG to produce predictable output (circa 2008, irrc)? Twas a bit of a pain in the bahookie for security administrators at the time. It's a basic tenant of computing: crap in => crap out. If a RnRand is in any way flawed then we can presume a state-level actor would be able to find that flaw, which would render vulnerable anything that relies on RnRand as its sole source of entropy... no matter how fancy the PRNG algorithm it seeds. Granted there are two assumptions there - that RnRand is the only source of entropy and that it is indeed flawed - but given how easy it is to mix entropy sources, the decision not to seems rather, well, silly... especially when one considers a context other than a home laptop such as, say, a certificate authority or generating keys in a defence/military application.
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
