[cryptography] Duplicate primes in lots of RSA moduli

Ben Laurie ben at links.org
Mon Feb 20 13:29:12 EST 2012


On Mon, Feb 20, 2012 at 5:22 PM, Thierry Moreau
<thierry.moreau at connotech.com> wrote:
> Then, basically the freebsd design is initial seeding of a deterministic
> PRNG. If a) the PRNG design is cryptographically strong (a qualification
>  which can be fairly reliable if done with academic scrutiny), and b) the
> PRNG state remains secret, THEN the secret random source is good through the
> system operating life cycle. (I make a restriction of the design as a simple
> PRNG because periodic true random data merging into the PRNG state is
> something not studied in the algorithmic theory publications.)
>
> The secrecy of the PRNG state is a requirement NO GREATER THAN the secrecy
> of any long-term secret (e.g. a MAC symmetric key or a digital signature
> private key) needed during the system operating life cycle. Even if there
> were a few cases where a security system requires a random source, but not a
> single long-term secret, an anecdotal case may not be the best model for a
> general-purpose OS design. By logical inference then, requiring continuous
> (or periodic) true random data collection is an over-design (i.e.
> engineering resources better put into greater assurance about secrecy
> protections), or a plain design flaw (remaining vulnerabilities in the
> secrecy attack vectors overlooked due to attention paid to true random data
> collection).
>
> So, the freebsd design appears reasonable to me.

FreeBSD does actually introduce extra randomness over time.



More information about the cryptography mailing list