Here are some scenarios where recovery from a state compromise would be important:
o A bug in system software that exposes PRNG state only rarely o An attack that that exposes PRNG state in a system that is well guarded against covert channels, limiting undetected outbound messages to very low bit rate o An attack that exposes PRNG state which requires physical access to a computer in a well guarded location, for example a Tempest attack where receiving equipment must be placed close to the system under attack o A flaw in the hash algorithm used to protect the PRNG state that takes massive processing power to exploit o Any attack that reveals only part of the PRNG state, forcing an expensive search to recover the unknown portion My response to the expected question "How likely are any of these situations, really?" is "How difficult is it to implement a PRNG that safely and rapidly recovers from a state compromise?" If you believe the Dodis paper (http://www.cs.nyu.edu/~dodis/ps/rng.pdf), not very. We know that both criminal organizations and state actors devote great effort to find any weaknesses. In particular, the expected rapid advance of the "Internet of Things" will produce many black-box diskless devices, some in critical functions, that have minimal entropy sources and software that is updated infrequently or never. I suggest that the Internet of Things should be a primary test case for any new RNG standards activity. Arnold Reinhold On Mar 11, 2014, at 3:54 PM, Theodore Ts'o <[email protected]> wrote: > On Tue, Mar 11, 2014 at 07:13:44PM +0000, Alyssa Rowan wrote: >> B. A 'running' state, which uses that key, holds it securely, and runs >> a good deterministic random bit generator to generate as much >> randomness as we need [up to some limit]. >> >> Specifically, djb advocates running A -then- run B (presumably, up to >> some defined limit, as no DRBG is sound _ad infinitum_, then we'd have >> to block and go back to A to gather another key?). > > I'll note that an criteria for judging RNG's which is very popular > with academics who love to write papers poking (theoretical) holes > into random number generators is how quickly a RNG can recover from > state compromise. > > One of the reasons why some people love RNG's such as Fortuna and > Yarrow is that it is specifically designed to recover from state > compromises --- and the scheme which djb has suggested would do poorly > on that particular metric. > > Does it matter? Well, entire virtual forests of electronic trees have > been felled by people speculating on whether fast/reliable recovery > from state recovery is critically important compared to other design > considerations. > > Personally, my take is that if you can compromise the state of the > RNG, you can probably far more damage, so I'm not convinced state > compromise is a very high priority threat to defend against. But > there are tons and tons of academic papers which are convinced that > any RNG which doesn't worry about this attack is Fatally Flawed. > > - Ted > _______________________________________________ > dsfjdssdfsd mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
_______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
