[Cryptech Tech] SHA-2 security and RNG verification
Philipp Gühring
pg at futureware.at
Thu Jun 4 17:06:28 UTC 2015
Hi,
I just stumbled across some Cryptech design diagrams, and wanted to let
you know about a potential problem there. I have not done a deeper
analysis, whether the problem really applies to your current design, so if
you have countermeasures already in place, or if it does not apply, please
ignore this email.
The problem I see is the usage of SHA-512 (or SHA-256) as a random number
mixer. SHA-512 has the property that it outputs it´s complete internal
state, which causes Length-Extension-Attacks for other applications. For
random number applications, I am worring about the
forward-and-backward-unguessability. Leaking the internal state can make
it possible for attackers to guess previous or later random numbers from
the output of random numbers, which is a property you definitely do not
want for random number generators.
The suggestion I have normally is to use SHA2-384 or SHA-3 instead, but I
am not sure, whether that´s the optimal choice for this project. SHA2-384
reveals only a part of the internal state (even that might be too much, I
am not sure there)
Best regards,
Philipp Gühring
PS: I haven´t noticed a submission of your generated random numbers on my
RNG testsite yet, so I would like to invite you to use it:
http://www.cacert.at/random/
More information about the Tech
mailing list