From owner-freebsd-current  Fri Jul 21 20:36:34 2000
Delivered-To: freebsd-current@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 42C8237B7FF; Fri, 21 Jul 2000 20:36:33 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id UAA86483;
	Fri, 21 Jul 2000 20:36:33 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Fri, 21 Jul 2000 20:36:33 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: David Schwartz <davids@webmaster.com>
Cc: "Jeroen C. van Gelderen" <jeroen@vangelderen.org>,
	current@freebsd.org
Subject: RE: randomdev entropy gathering is really weak
In-Reply-To: <NCBBLIEPOCNJOAEKBEAKMELHJNAA.davids@webmaster.com>
Message-ID: <Pine.BSF.4.21.0007212029310.86009-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 21 Jul 2000, David Schwartz wrote:

> > You generate a new PGP keypair and start using it. Your
> > co-worker reboots your machine afterwards and recovers
> > the PRNG state that happens to be stashed on disk. He
> > can then backtrack and potentially recover the exact same
> > random numbers that you used for your key.
> 
> 	If that is possible, then Yarrow's algorithm is badly broken. It
> should not be possible to run a PRNG backwards without knowing what it
> output. Once it outputs something, the state information neccessary to
> produce that output should be removed by the output process.

Yarrow only reseeds every so often when it has enough entropy accumulated,
and changes its internal key using a "generator gate" every few inputs
(the paper suggests 10). So if you break the state of the algorithm (e.g.
if it were stored on disk after a reboot) you can learn up to 10 previous
PRNG outputs with that key, back to the previous generator gate or reseed.

This issue is common to all PRNGs that don't reseed with every output
value - it's discussed in the Yarrow paper, which you should read :-)

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message