On Mon, Mar 17, 2014 at 10:35 AM, Dan Brown <[email protected]> wrote:
> > EE. Bad entropy estimation > > > > > > Numerous RNGs rely on each entropy inputs being acccompanied by an > > > estimate of how many bits of entropy each contains. Historically, > > > these entropy estimates have been pretty bogus, but I'm not aware of > > > any attack arising out of that. > > > > Does the Goldberg--Wagner attack on the poorly seeded Netscape SSL RNG > count here? > Not exactly. I meant item "EE" to cover only cases where the RNG has an internal variable that tracks how much entropy it has received, but this internal variable is calculated through a dubious process. If I'm reading [1] correctly, the Netscape SSL RNG problem was that it only seeded with the PID, the parent PID, and the current time in microseconds. It didn't track entropy levels at all: it just failed to use adequate entropy. So let's add a new category to the list: " J. Not even trying to use enough entropy as an input. " [1] http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html -- Nick
_______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
