1995-09-19 - Re: Verification of Random Number Generators

Header Data

From: Bill Stewart <stewarts@ix.netcom.com>
To: cypherpunks@toad.com
Message Hash: 26762031a5eeac2567f754fac2316bae6e37c08277fd5b49eb9f3243ec6aec0c
Message ID: <199509191947.MAA23655@ix3.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1995-09-19 19:47:34 UTC
Raw Date: Tue, 19 Sep 95 12:47:34 PDT

Raw message

From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 19 Sep 95 12:47:34 PDT
To: cypherpunks@toad.com
Subject: Re: Verification of Random Number Generators
Message-ID: <199509191947.MAA23655@ix3.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 11:54 AM 9/19/95 -0500, andrew wrote, replying to Eric Fair:
>>  Just an idle thought: it might be possible to do a probabalistic
>>  verification of a RNG by sampling it over some number of samples,

>But this wouldn't have solved Netscape's problem.  Netscape was using a  
>pretty good PRNG (the one in RSAREF).  The problem was they were/are using a  
>naive method of seeding it.  The output of the PRNG would have been  
>statistically random, but since the seed had ridiculously little entropy it  
>was easy to guess.

It's even worse - the seeding mechanism has too little entropy, given that
you know some of the input data (e.g. system clock), but if it had, say,
32 bits of entropy, you'd have to run your test tens or hundreds of billions
of times for the patterns to really show up - which is hard to do for something
that uses the system clock or other hardware - and you'd really have to get
at the output of the seeding process rather than the PRNG output, which has
been filtered through enough MD5 that it's hard to detect the patterns.
But you could still crack it easily enough.
#---
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---






Thread