Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

    Due to a misplaced parenthesis, if insufficient GOOD 
    bits were available to satisfy a request, the 
    keying/rekeying code requested either 32 or 64 ANY bits, 
    rather than the balance of bits required to key the 
    stream generator.
I think this paragraph is a nice reminder, how hard crypto can be.


A misplaced parenthesis can corrupt output data from an ordinary programs too. But with crypto, severe problems have a much easier time staying silent through QA and interop testing, and widespread usage.

I think it's because the concept of "cryptographically secure" is essentially trying to prove a negative. That's hard enough in general, but especially hard to do about an intelligent adversary whom you may not even know anything about. You're trying to prove that no present or future attacker will be able to obtain any information which can allow him to unravel your secrets.

Crypto is about building sky castles full of really really long secrets floating on foundations of really small ones, and then tossing them all up in the air to yourself as you run down the street backwards with rabid weasels chasing you.


In particular CSPRNGs, because the output of a fatally flawed CSPRNG and a secure CSPRNG can look very similar.

This is also why CSPRNGs are a great place to hide backdoors.


Backdoor in the sense of leaking state?

And is there a case in the wild ( except the PS3 hack?)?


Best paper Usenix Security '12. Nadia Heninger, UC San Diego; Zakir Durumeric, University of Michigan; Eric Wustrow and J. Alex Halderman, University of Michigan https://www.usenix.org/conference/usenixsecurity12/mining-yo... "We find that 0.75% of TLS certificates share keys due to insufficient entropy during key generation, and we suspect that another 1.70% come from the same faulty implementations and may be susceptible to compromise. Even more alarmingly, we are able to obtain RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts, because their public keys shared nontrivial common factors due to entropy problems, and DSA private keys for 1.03% of SSH hosts, because of insufficient signature randomness."

Ron was wrong, Whit is right Arjen K. Lenstra and James P. Hughes and Maxime Augier and Joppe W. Bos and Thorsten Kleinjung and Christophe Wachter http://eprint.iacr.org/2012/064


> except the PS3 hack?

To be clear, the PS3 problem was not a problem of randomness quality or a PRNG backdoor. It was illegal nonce reuse in the zero-knowledge proof-of-key-possession protocol embedded in DSA signatures.


Did you mean to use the word "illegal"?


Sorry 'illegal' in the sense of being contrary to the requirements of the crypto protocol, in the same way that you can have the concept of an 'illegal operation' in a CPU ISA.


Illegal as in "violating their own crypto policy".


The debian certificate instance is a good example too.

http://digitaloffense.net/tools/debian-openssl/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: