[5213] in cryptography@c2.net mail archive
Re: depleting the random number generator
daemon@ATHENA.MIT.EDU (John Kelsey)
Mon Jul 26 08:58:43 1999
Date: Sun, 25 Jul 1999 23:55:47 -0500
To: "Arnold G. Reinhold" <reinhold@world.std.com>,
"James A. Donald" <jamesd@echeque.com>, Ben Laurie <ben@algroup.co.uk>,
bram <bram@gawth.com>
From: John Kelsey <kelsey.j@ix.netcom.com>
Cc: cryptography <cryptography@c2.net>
In-Reply-To: <v04011700b3c0b0807cfc@[24.218.56.100]>
-----BEGIN PGP SIGNED MESSAGE-----
[ To: Perry's Crypto List, James, Ben, Bram ##
Date: 07/25/99 ##
Subject: Re: depleting the random number generator ]
>Date: Sun, 25 Jul 1999 11:01:00 -0400
>To: "James A. Donald" <jamesd@echeque.com>, Ben Laurie
> <ben@algroup.co.uk>, bram <bram@gawth.com>
>From: "Arnold G. Reinhold" <reinhold@world.std.com>
>Subject: Re: depleting the random number generator
>Cc: cryptography <cryptography@c2.net>
>One nice advantage of using RC4 as a nonce generator is that
>you can easily switch back and forth between key setup and
>code byte generation. You can even do both at the same time.
>(There is no need to reset the index variables.) This allows
>you to intersperse entropy deposits and withdrawals at will.
Has anyone looked at this from a cryptanalytic point of
view? I think there are chosen-input attacks available if
you do this in the straightforward way. That is, if I get
control over some of your inputs, I may be able to alternate
looking at your outputs and sending in new inputs, and mount
an attack that isn't possible at all against RC4 as it's
normally used. (This comes out of conversations with Jon
Callas, Dave Wagner, and Niels Ferguson, from a time when I
considered designing a Yarrow-variant using RC4 as the
underlying engine.)
>In particular, if you deposit the time of each entropy
>withdrawal, the proposed denial of service attack that
>started this thread would actually replenish a few bits of
>entropy with each service request.
This isn't a bad idea, but I'd be careful about assuming
that those times hold much entropy. After all, a given
piece of code which has thirty calls to the PRNG probably
runs in about the same amount of time every time, barring
disk or network I/O.
>Arnold Reinhold
- --John Kelsey, Counterpane Internet Security, kelsey@counterpane.com
NEW PGP print = 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
iQCVAwUBN5vpyCZv+/Ry/LrBAQEEugP/a0EmfGGNtCt9TXbzvbn6VbdpwMvInVr0
U+BiLtwa4UCp7l4i4BK3lovYkXHAYwdKD4v7k7OQw0iIaJAEHGFrdscByoAc1rA7
X83UylGkuhjyRmH9N7ygK67oSp7suWd5j5+7nS1TiZvFdP/hE8M7BXOtaFmxx7eP
K6tmgAWN3uc=
=P+FQ
-----END PGP SIGNATURE-----
