On Tue, Mar 11, 2014 at 2:26 PM, Alyssa Rowan <[email protected]> wrote: > On 11/03/2014 17:08, Dan Brown wrote: > >> So, I am not totally sure about the question of whether secure >> RNGs should be a MUST. I wonder what others think. > > Given this list exists, I'd say yes: going forward, they MUST be. <g> > > Regarding your counterargument: I think security considerations > warrant MUST.
Absolutely, at least in any protocols whose security properties matter, and often elsewhere as well. > I think secure RNGs really need to be considered a vital component to > analyse. ... > > We should consider how robust protocols may be if those requirements > are not met, and generally prefer (as a "safety net") protocols which > do not fail catastrophically if the RNG is weak, ... I cannot think offhand of a protocol that uses random numbers and does not fail with bad ones. Sometimes, as in choosing TCP sequence numbers, it may not matter a lot, but I am not even certain of that. There are many examples of important security protocols that fail disastrously -- as in do not achieve any of their design goals -- if a weak RNG is used. Here are some: The Diffie-Hellman key negotiation protocol -- used by at least IPsec, SSL/TLS and SSH, and for all I know others -- can be straightforwardly broken if either party uses a weak RNG. The break gives the enemy the shared key, which lets him break both the encryption and the packet-level authentication. PGP generates a random key and uses it to encrypt the message with an efficient block cipher. Then it uses public key methods to safely deliver that key to recipients. A sufficiently bad RNG could therefore break PGP. RNGs are also required for most types of key generation for any public key algorithm. The recent findings of massive duplication of TLS keys (a fatal flaw) on the net was attributed mainly to linux-based routers that failed to initialise their RNGs correctly. The DSA algorithm may be a standard, but it is horrendously flawed. A single use with a bad RNG or multiple uses if each leaks a bit of random material, completely break it, letting an attacker get the private key. https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Sensitivity Some people, including me, suspect that such a flawed method could only have been standardised as a deliberate attempt to facilitate monitoring. _______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
