Re: [Cryptography] The hypothetical random number generator backdoor

2013-09-25 Thread Alan Braggins
On 23 September 2013 01:09, Phillip Hallam-Baker hal...@gmail.com wrote: So we think there is 'some kind' of backdoor in a random number generator. One question is how the EC math might make that possible. Another is how might the door be opened. Are you talking about

Re: [Cryptography] The hypothetical random number generator backdoor

2013-09-25 Thread Jerry Leichter
On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker hal...@gmail.com wrote: I was thinking about this and it occurred to me that it is fairly easy to get a public SSL server to provide a client with a session key - just ask to start a session. Which suggests that maybe the backdoor [for an

Re: [Cryptography] The hypothetical random number generator backdoor

2013-09-25 Thread Phillip Hallam-Baker
On Tue, Sep 24, 2013 at 10:59 AM, Jerry Leichter leich...@lrw.com wrote: On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker hal...@gmail.com wrote: I was thinking about this and it occurred to me that it is fairly easy to get a public SSL server to provide a client with a session key - just

Re: [Cryptography] The hypothetical random number generator backdoor

2013-09-25 Thread Gerardus Hendricks
So we think there is 'some kind' of backdoor in a random number generator. One question is how the EC math might make that possible. Another is how might the door be opened. I'm assuming you're talking about DUAL_EC_DBRG. Where the backdoor is and how it can be exploited is pretty simple to

Re: [Cryptography] The hypothetical random number generator backdoor

2013-09-25 Thread Jerry Leichter
On Sep 24, 2013, at 7:53 PM, Phillip Hallam-Baker wrote: There are three ways a RNG can fail 1) Insufficient randomness in the input 2) Losing randomness as a result of the random transformation 3) Leaking bits through an intentional or unintentional side channel What I was concerned

Re: [Cryptography] The hypothetical random number generator backdoor

2013-09-25 Thread Jerry Leichter
On Sep 24, 2013, at 6:11 PM, Gerardus Hendricks konfku...@riseup.net wrote: I'm assuming you're talking about DUAL_EC_DBRG. ... According to the researchers from Microsoft, exploiting this would require at most 32 bytes of the PRNG output to reveal the internal state, thus revealing all

Re: [Cryptography] The hypothetical random number generator backdoor

2013-09-25 Thread Nico Williams
On Sep 25, 2013 8:06 AM, John Kelsey crypto@gmail.com wrote: On Sep 22, 2013, at 8:09 PM, Phillip Hallam-Baker hal...@gmail.com wrote: Either way, the question is how to stop this side channel attack. One simple way would be to encrypt the nonces from the RNG under a secret key

[Cryptography] The hypothetical random number generator backdoor

2013-09-24 Thread Phillip Hallam-Baker
So we think there is 'some kind' of backdoor in a random number generator. One question is how the EC math might make that possible. Another is how might the door be opened. I was thinking about this and it occurred to me that it is fairly easy to get a public SSL server to provide a client with