Question on PRNG's and entropy
Hiya, I've read the past items on this list, looking for a good non-interactive source of entropy for the PRNG. Now I've a (possibly very) stupid question. The data I need to encrypt is your basic bit of user data going from system A to system B. Now given that the whole point of encrypting this is to prevent someone from reading the data, is there any reason why I can't select a random bit out of each user message, perform some incantation on it and use this to seed the PRNG ?? I mean, if someone can predict the contents of the data well enough to work out what my seed is, surely they've defeated the purpose of the encryption anyway .. true ??? Given that I'm cryptographically ignorant, I don't want to do this if there's some great gaping flaw. Thanks, G. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Question on PRNG's and entropy
> -Original Message- > From: Gregory Nicholls [mailto:[EMAIL PROTECTED]] > The data I need to encrypt is your basic bit of user data going from > system A to system B. Now given that the whole point of encrypting this > is to prevent someone from reading the data, is there any reason why I > can't select a random bit out of each user message, perform some > incantation on it and use this to seed the PRNG ?? How do you select a "random bit" of a message if you don't have a source of randomness in the first place? From a cryptographic perspective, you'd best assume an attacker knows which bit of the message you're using, even without knowing what the message contains. Also, note that a crypto PRNG seed should ideally contain considerable entropy. Are these messages themselves unpredictable enough to provide sufficient seed material? > I mean, if someone can predict the contents of the data well enough to work > out what my seed is, surely they've defeated the purpose of the encryption > anyway .. true ??? That's a very big assumption. An attacker could know enough about the structure or probable contents of the message to greatly reduce the actual amount of entropy in the seed, without being able to guess the message. (Perhaps details in the message are important, but the message is known to always be English text.) An attacker might be able to inject a known-plaintext attack and defeat the PRNG seeding entirely. (Bob is a legitimate user of your system, but he's secretly trying to crack it as well, so he can read other people's data.) Of course, there are many ways to sanitize the sampled data to reduce the attacker's effective knowledge about it - hashing it, for example. That's certainly better than the original Netscape time+pid+ppid approach. Ultimately it's a question of your threat model. Does your model try to account for serious attacks by knowledgeable people with lots of resources? If not, how you seed your PRNG isn't something to lose a lot of sleep over. If so, then you'd be better off hiring crypto and security experts to vet your application. Michael Wojcik [EMAIL PROTECTED] MERANT Department of English, Miami University __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question on PRNG's and entropy
Hiya, Michael Wojcik wrote: > How do you select a "random bit" of a message if you don't have a source of > randomness in the first place? From a cryptographic perspective, you'd best > assume an attacker knows which bit of the message you're using, even without > knowing what the message contains. Fair point. I was thinking along the lines of msglen/n where I'd pick n(hardcoded) out of a hat. The msg lengths won't be predictable but I guess they probably won't be cryptographically random . > > Also, note that a crypto PRNG seed should ideally contain considerable > entropy. Are these messages themselves unpredictable enough to provide > sufficient seed material? They obviously have some standard header portion that I was proposing to omit. As to the contents I can't say. Depends on the application. > > I mean, if someone can predict the contents of the data well enough to > work > > out what my seed is, surely they've defeated the purpose of the encryption > > anyway .. true ??? > > That's a very big assumption. An attacker could know enough about the > structure or probable contents of the message to greatly reduce the actual > amount of entropy in the seed, without being able to guess the message. > (Perhaps details in the message are important, but the message is known to > always be English text.) An attacker might be able to inject a > known-plaintext attack and defeat the PRNG seeding entirely. (Bob is a > legitimate user of your system, but he's secretly trying to crack it as > well, so he can read other people's data.) > > Of course, there are many ways to sanitize the sampled data to reduce the > attacker's effective knowledge about it - hashing it, for example. That's > certainly better than the original Netscape time+pid+ppid approach. > > Ultimately it's a question of your threat model. Does your model try to > account for serious attacks by knowledgeable people with lots of resources? > If not, how you seed your PRNG isn't something to lose a lot of sleep over. > If so, then you'd be better off hiring crypto and security experts to vet > your application. I don't think we're concerned about serious high-resource attacks, after all, we're not going to use authentication but use ADH instead. I'm not sure if this is an attempt by management to tick the encryption box or a serious attempt at supplying a useful option. I'm trying to do the best I can within the constraints. The seed is the toughest bit. We're supplying a library that won't have user interaction. It also needs to run on about 10 different architectures (from NT through Unix to MVS and AS400). The only time I'll get user interaction is during installation . Thanks, g. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question on PRNG's and entropy
Michael Wojcik wrote: > Hmm. Seeding PRNGs on Windows and Unix are pretty well-understood problems; > there's Yarrow for Windows (www.counterpane.com) and egd for Unix, Yeah but both of these are external processes. We can't (for various reasons) rely on, or require the installation of, any such. > > Frankly, if you use something like hash(variable message content + hi-res > time) to generate seed material, it'll be pretty hard to predict the PRNG, > unless the attacker can mount a known-plaintext attack. Stir some more > entropy into the pool if you can, but chances are there will be weaker > points for attackers (like subverting someone on the inside). > This was where I was heading with the original inquiry. I'm looking for something that can be built into the portable library code. It seems from then comments made so far that this would be an acceptable method for us. We're not protecting nuclear secrets (and hence don't need to hide our data behind a vending machine ...). G. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
