Date: Fri, 21 Jul 2000 14:20:40 -0700 From: "David Schwartz" <davids@webmaster.com> To: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> Cc: <current@freebsd.org> Subject: RE: randomdev entropy gathering is really weak Message-ID: <NCBBLIEPOCNJOAEKBEAKMELHJNAA.davids@webmaster.com> In-Reply-To: <3978806C.8BD1EDD6@vangelderen.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> You generate a new PGP keypair and start using it. Your > co-worker reboots your machine afterwards and recovers > the PRNG state that happens to be stashed on disk. He > can then backtrack and potentially recover the exact same > random numbers that you used for your key. If that is possible, then Yarrow's algorithm is badly broken. It should not be possible to run a PRNG backwards without knowing what it output. Once it outputs something, the state information neccessary to produce that output should be removed by the output process. Imagine if I have a PRNG in state 0 (which I'll call "S(0)"). It then outputs a particular 32-bit PRN, called 'A' and is now in a new state S(1). Now, if one tries to backtrack from S(1) to S(0), one needs to know A. For every possible 32-bit A that could have been output, there's a different corresponding S'(0) (state that might have been S(0)). Since the attacker does not know A, he does not know which S'(0) corresponds to S(0), and hence cannot backtrack. Since the people who developed this algorithm are pretty bright, I will conculde that this is not the case. DS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NCBBLIEPOCNJOAEKBEAKMELHJNAA.davids>