[Cryptech Tech] Some thoughts and questions on the RNG strategy
Randy Bush
randy at psg.com
Thu Feb 6 22:51:12 UTC 2014
From: "Steven M. Bellovin" <smb at cs.columbia.edu>
Subject: Re: [Cryptech Tech] Some thoughts and questions on the RNG strategy
To: Randy Bush <randy at psg.com>
Date: Thu, 6 Feb 2014 11:38:35 -0500
I need to think about it a bit more. Dan Bernstein is very smart and
rather quirky. Sometimes, he’s right; other times (like his DNSSEC
“replacement”), he’s completely wrong. In this case, I suspect that
his threat models are too strong or are inconsistent.
As for the specific choices: the part about injecting seed values
scares me, since that’s an open door for malware to inject known
state.
Normally, I’d suggest using a NIST-standard PRNG; right now, that
scares me a bit, for some reason… For ChaCha, though, I’d like to see
published analyses of its output randomness; the lack of that was one
of the early warning flags for RC4.
“Ample time to collect and curate” randomness is not a feature, since
it means that this state is lying around the system. A major point of
injecting new randomness is to deal with transient access by
attackers.
More information about the Tech
mailing list