[cryptography] Fatal flaw in Taiwanese smart card RNG

Seth David Schoen schoen at loyalty.org
Mon Sep 16 12:56:11 EDT 2013

Krisztián Pintér writes:

> no. you can't test a rng by looking at the output. only the algorithm
> and the actual code can be analyzed and reviewed. it is because it
> is extremely easy to create a crappy rng that fools the smartest
> analytical tool on the planet. it is not that easy to fool an attacker
> that reverse engineers your system.

Well, there's a distinction between RNGs that have been maliciously
designed and RNGs that are just extremely poor (or just are
inadequately seeded but their designers or users don't realize this).

It sounds like such extremely poor RNGs are getting used in the wild
quite a bit, and these problems might well be detected by more
systematic and widespread use of these researchers' techniques.  It's
true that a maliciously designed RNG would not be detected this way.
The researchers do emphasize that

  An absence of common divisors is also not an indication of security.
  There are many potential vulnerabilities resulting from bad randomness;
  it is important to thoroughly test every component of a random-number
  generator, not merely to look for certain types of extreme failures.

Seth David Schoen <schoen at loyalty.org>      |  No haiku patents
     http://www.loyalty.org/~schoen/        |  means I've no incentive to
  FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150  |        -- Don Marti

More information about the cryptography mailing list