1993-11-23 - Can NSA crack PGP?

Header Data

From: karn@qualcomm.com (Phil Karn)
To: mab@crypto.com
Message Hash: 9b6cd4bf24d1cca737ed1d69f6d5d744aec91e294a310672284a63f333d97f92
Message ID: <199311230859.AAA05134@servo>
Reply To: <9311230533.AA17556@crypto.com>
UTC Datetime: 1993-11-23 09:02:44 UTC
Raw Date: Tue, 23 Nov 93 01:02:44 PST

Raw message

From: karn@qualcomm.com (Phil Karn)
Date: Tue, 23 Nov 93 01:02:44 PST
To: mab@crypto.com
Subject: Can NSA crack PGP?
In-Reply-To: <9311230533.AA17556@crypto.com>
Message-ID: <199311230859.AAA05134@servo>
MIME-Version: 1.0
Content-Type: text/plain

>Minor nit: I agree that keystroke timing is good in principle for getting
>"true" random bits, but we should be careful not to extrapolate too much from
>the STU-III for general purpose computer systems.

I fully agree.

>Compounding the issue is knowing which bits in the interarrival time are
>the "hotest" ones to measure on a particular system, which may be surprisingly
>far from the lowest order bits depending on the clock granularity and skew.

I think this is less of a problem. Given a good cryptograpic hash
function, I would simply hash *all* of the clock bits, without regard
to which are the "hottest" ones. If (important 'if') there is
sufficient total entropy in the input bits, hashing should effectively
"distill" the input entropy into the output bits.