howto secure older keys after the recent attacks

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Sep 11 02:38:20 CEST 2009


On 09/10/2009 06:32 PM, Christoph Anton Mitterer wrote:
> 3) One problem with such devices is,.. that one can never know (well at
> least normal folks like me) how good they actually are.
> If this company would be evil (subsidiary of NSA or so) they could just
> sell bad devices that produce poor entropy thus rendering our (symmetric
> and asymmetric) keys, signatures etc. "useless". Right?

Worse than this: the devices could produce measurably "good" entropy
that happens to be predictable to a malicious individual in control of a
special secret.

For example, if such a key were to contain a copy of the secret, and
somehow retain the current time (e.g. a battery and a clock?), it could
produce a new output stream each second with:

 AES(secret + time())

(first cleartext block is just "secret + time", and next cleartext block
for that second is just the previous ciphertext block XOR'ed with
"secret + time" -- reset every second as time() changes)

This would produce a predictable stream that (like all good ciphers) has
high-entropy output.

Then, if this was used to provide random numbers to the kernel, which in
turn provided them to gpg, an attacker who knows the secret associated
with your entropy key, and the time you generated the key (that
information is published with your public key) could probably reproduce
the stream of "randomness" that was used for your key generation, and
therefore stumble upon your private key.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20090910/e3b6c685/attachment.pgp>


More information about the Gnupg-users mailing list