From owner-freebsd-current Fri Jul 21 14:20:45 2000 Delivered-To: freebsd-current@freebsd.org Received: from shell.webmaster.com (ftp.webmaster.com [209.10.218.74]) by hub.freebsd.org (Postfix) with ESMTP id 9F46737C0D5 for ; Fri, 21 Jul 2000 14:20:41 -0700 (PDT) (envelope-from davids@webmaster.com) Received: from whenever ([216.152.68.2]) by shell.webmaster.com (Post.Office MTA v3.5.3 release 223 ID# 0-12345L500S10000V35) with SMTP id com; Fri, 21 Jul 2000 14:20:06 -0700 From: "David Schwartz" To: "Jeroen C. van Gelderen" Cc: Subject: RE: randomdev entropy gathering is really weak Date: Fri, 21 Jul 2000 14:20:40 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3978806C.8BD1EDD6@vangelderen.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > You generate a new PGP keypair and start using it. Your > co-worker reboots your machine afterwards and recovers > the PRNG state that happens to be stashed on disk. He > can then backtrack and potentially recover the exact same > random numbers that you used for your key. If that is possible, then Yarrow's algorithm is badly broken. It should not be possible to run a PRNG backwards without knowing what it output. Once it outputs something, the state information neccessary to produce that output should be removed by the output process. Imagine if I have a PRNG in state 0 (which I'll call "S(0)"). It then outputs a particular 32-bit PRN, called 'A' and is now in a new state S(1). Now, if one tries to backtrack from S(1) to S(0), one needs to know A. For every possible 32-bit A that could have been output, there's a different corresponding S'(0) (state that might have been S(0)). Since the attacker does not know A, he does not know which S'(0) corresponds to S(0), and hence cannot backtrack. Since the people who developed this algorithm are pretty bright, I will conculde that this is not the case. DS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message