Date: Fri, 21 Jul 2000 20:36:33 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: David Schwartz <davids@webmaster.com> Cc: "Jeroen C. van Gelderen" <jeroen@vangelderen.org>, current@freebsd.org Subject: RE: randomdev entropy gathering is really weak Message-ID: <Pine.BSF.4.21.0007212029310.86009-100000@freefall.freebsd.org> In-Reply-To: <NCBBLIEPOCNJOAEKBEAKMELHJNAA.davids@webmaster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 21 Jul 2000, David Schwartz wrote:
> > You generate a new PGP keypair and start using it. Your
> > co-worker reboots your machine afterwards and recovers
> > the PRNG state that happens to be stashed on disk. He
> > can then backtrack and potentially recover the exact same
> > random numbers that you used for your key.
>
> If that is possible, then Yarrow's algorithm is badly broken. It
> should not be possible to run a PRNG backwards without knowing what it
> output. Once it outputs something, the state information neccessary to
> produce that output should be removed by the output process.
Yarrow only reseeds every so often when it has enough entropy accumulated,
and changes its internal key using a "generator gate" every few inputs
(the paper suggests 10). So if you break the state of the algorithm (e.g.
if it were stored on disk after a reboot) you can learn up to 10 previous
PRNG outputs with that key, back to the previous generator gate or reseed.
This issue is common to all PRNGs that don't reseed with every output
value - it's discussed in the Yarrow paper, which you should read :-)
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007212029310.86009-100000>