Changed subject line; my mind is elsewhere today, sorry. On Wed, Jan 29, 2014 at 02:42:07PM -0800, [email protected] wrote: > A good PRNG should make the state of the RNG not provide any previous outputs > (forward security). > This can be important for example in java where the objects sit around a > while in memory. > Further, even with some subset of the previous outputs and the current state, > one should not be able to derive any other previous outputs.
These are pretty easy to accomplish with good hashes. It also reminds me of "over-the-air rekeying": http://en.wikipedia.org/wiki/Over_the_Air_Rekeying I wonder if one could usefully use hashes or PRNGs to establish a key sequence to limit the amount of data encrypted under one key or to reduce the need for key renegotiation. I suspect a key renegotiation conducted under the current session key would be more secure than a bare one, as well. But I digress. > Obviously state disclosure is not forward secure unless reseeded (not exactly > a PRNG in that case) That should read backwards secure. > Yarrow has good information on seeding for forward security. https://www.schneier.com/yarrow.html Choice quote: A PRNG is the unsexy part of a cryptographic system. People don't think much about them, but they're used just about everywhere in cryptography. Random numbers are in session keys, initialization vectors, public-key generation, and many other places. If the random numbers are insecure, then the entire application is insecure. Algorithms and protocols can't cover for bad random numbers. Well, they just got sexier. > Schneier's "Practical Cryptography" has good details on RNG attacks. He also has a decent paper, linked to from Yarrow: https://www.schneier.com/paper-prngs.pdf This has a good set of recommendations which are obviously not followed. I'll probably put together a RNG link master list one day. -- http://www.subspacefield.org/~travis/ Remediating... LIKE A BOSS
pgpyvZoaS7R5Q.pgp
Description: PGP signature
_______________________________________________ RNG mailing list [email protected] http://lists.bitrot.info/mailman/listinfo/rng
