[cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

Peter Maxwell peter at allicient.co.uk
Sat Jul 13 23:39:14 EDT 2013


On 13 July 2013 07:32, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:

> William Yager <will.yager at gmail.com> writes:
>
> >no cryptographer ever got hurt by being too paranoid, and not trusting
> your
> >hardware is a great place to start.
>
> And while you're lying awake at night worrying whether the Men in Black
> have
> backdoored the CPU in your laptop, you're missing the fact that the
> software
> that's using the random numbers has 36 different buffer overflows, of
> which 27
> are remote-exploitable, and the crypto uses an RSA exponent of 1 and
> AES-CTR
> with a fixed IV.
>


Hmmm. The problem with flawed sources of randomness is their effects can be
somewhat more pervasive than a single vulnerable host or vulnerable piece
of software.  Remember when Debian's OpenSSL implementation had been
accidentally mangled causing the PRNG to produce predictable output (circa
2008, irrc)?  Twas a bit of a pain in the bahookie for security
administrators at the time.

It's a basic tenant of computing: crap in => crap out.  If a RnRand is in
any way flawed then we can presume a state-level actor would be able to
find that flaw, which would render vulnerable anything that relies on
RnRand as its sole source of entropy... no matter how fancy the PRNG
algorithm it seeds.  Granted there are two assumptions there - that RnRand
is the only source of entropy and that it is indeed flawed - but given how
easy it is to mix entropy sources, the decision not to seems rather, well,
silly... especially when one considers a context other than a home laptop
such as, say, a certificate authority or generating keys in a
defence/military application.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130714/af32b750/attachment.html>


More information about the cryptography mailing list