Deterministic session keys
paul at argo.demon.co.uk
Mon Jul 20 13:12:13 CEST 1998
wk at isil.d.shuttle.de said:
> Paul Ashton <paul at argo.demon.co.uk> writes:
> > That's good, but the thing that is often attacked is the PRNG. Getting
> GNUPG does not use a PRNG but a cryptograhic strong RNG; if you have
> the seed of a PRNG you access to all the "random bytes" it ever emits
> from this seed - this is not true for a realy RNG which we (hopefully)
> use in gnupg. (yes I know, that computers are deterministic systems
> and so we can only code a PRNG but a lot of folks do think that the
> physical world is also deterministic)
Ok, I'll rephrase my concern. One thing that is often attacked is
the RNG, perhaps due to misimplementation. With Linux it is entirely
conceivable that some kernel patch or other accidentally disables
/dev/randomness. I'm sure it won't last for very long though.
> > A risk? I think so.
> Yes. But "social engineering" is much more powerful, just ask your
> friend you need his secret keyring to check that there are no "viruses"
> in it and tell him this does not reveal the secret key because it is
> encoded with a strong 128 bit state-of-the-art cipher which is keyed
> with his passphrase, which you don't know. You make a copy and and
> setup a dictionary attack on the passphrase - and assume this passphrase
> is, as he didn't check the signature of the program, or what about a
> trojan horse or, or ...
The existence of one risk doesn't negate the existence of the other.
The essence of my argument is that anything that uses "random" numbers
cannot ever be validated, whereas if gnupg had a --deterministic
option that always produced the same output for the same input, then
merely a reimplementation to the same specification would be enough
to eliminate many possible concerns and weaknesses.
I understand that same output for same input is often not desirable
and many weaknesses are pointed out in Applied Cryptography and
others, but for some cases it may be sufficient.
I also think it is quite likely that encryption systems have
been developed with weak RNGs that have subject the system to
rapid attack. The nice thing for the NSA and co. who might pressure
people into doing this, is that they introduce plausible deniability
in case they are found out. "Sorry folks, we didn't realise
gettimeofday() wasn't such a good PRNG seed...".
Personally I wish that all my pgp, gpg and ssh keys purely used my
passphrase to generate the key-pairs and other systems
such as hash algorithms were used to generate session keys. If others
want to use /dev/random or whatever, then fine, we can still
ps. May I thank you for your very fine work with GNUPG.
More information about the Gnupg-devel