On 1/23/2016 3:16 PM, Geoffrey Keating wrote:
But if k generation is broken, then that leaks the key permanently and you need to get a new one and revoke the old one, which may be difficult.
I agree that if RNG generation is broken then it breaks k generation. But if RNG generation was broken during key generation, you also have a problem.
In your arguments, assuming that the RNG was fine for key generation and broken for signature generation IMHO only applies to software modules (where you have the option of using separate RNGs for different functions).
For HSMs with any reasonable amount of good design, if the RNG is bad, the thing just stops working (and there are ALL sorts of tests to ensure that).
With respect to a software module, I'd find it easier just to read the key bits out of memory than apply most of the other threats that seem to be creeping into the argument.
Later, Mike _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
