zo...@zooko.com (Zooko Wilcox-O'Hearn) on Thursday, October 29, 2009 wrote:

>I'm beginning to think that *in general* when I see a random number  
>required for a crypto protocol then I want to either  
>deterministically generate it from other data which is already  
>present or to have it explicitly provided by the higher-layer  
>protocol.  In other words, I want to constrain the crypto protocol  
>implementation by forbidding it to read the clock or to read from a  
>globally-available RNG, thus making that layer deterministic.

One concern is that if the encryption key is deterministically generated
from the data, then the same plain text will generate the same cypher text,
and a listener will know that the same message has been sent. The same
observation applies to a DSA signature. If this leakage of information is
not a problem, e.g. the signature is encrypted along with the data using a
non-deterministic key, then there doesn't seem to be anything obvious wrong
with the approach. (But remember, I'm far from an expert.)

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"After all, if the conventional wisdom was working, the
408-356-8506       | rate of systems being compromised would be going down,
www.periwinkle.com | wouldn't it?" -- Marcus Ranum

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to