On 3/14/14, Dan Brown <[email protected]> wrote: > Hi, > > I think that the RFC 4086 sequel should drop the reference in its Section > 7.2.3 to DSS RNG, or deprecate it.
I agree that its use for RNG should be deprecated. However, I think the comment in RFC 4086 pointing out that DSS requires new good randomness for each signature should remain and probably the fact that, if you can control that "randomness" you can leak an entire key in two signatures, should be mentioned and linked to the recent "interesting" revelations and speculations concerning subverted RNG... Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA [email protected] > The main reason, as I vaguely recall, is that it suffers from some form of > backtracking attack (found by somebody other than me). Hence X9.62-2005 > dropped this RNG.. > > > > I wonder if the following weak attack is the attack I'm trying to remember: > > > > An adversary who sees the latest output X_j and compromises the current > state XKEY_(j+1) should, ideally, not be able to distinguish X_j from a > uniformly random bit string. The idea is that current secret state reveals > nothing about past states. > > > > But in the DSS RNG, an adversary can easily confirm the match by testing > that > > > > X_j == G(t, XKEY_(j+1) - 1 - X_j) > > > > Assuming that (optional user input) == 0. > > > > Hmm, maybe I'm wrong and just missing something obvious. > > > > I think newer DRBGs, e.g. in X9.82-3 and SP 800-90A, try to resist such > attacks. > > > > Best regards, > > > > > Daniel Brown > > > Research In Motion Limited _______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
