1996-09-17 - Re: Gaining trust in OCO crypto code

Header Data

From: norm@netcom.com (Norman Hardy)
To: mac-crypto@thumper.vmeng.com
Message Hash: a42a471ac1a1ed99a9a1eec4c962a477d4149f00d64ec42e284df5e901fdb42d
Message ID: <ae63b0e900021004988f@DialupEudora>
Reply To: N/A
UTC Datetime: 1996-09-17 04:49:06 UTC
Raw Date: Tue, 17 Sep 1996 12:49:06 +0800

Raw message

From: norm@netcom.com (Norman Hardy)
Date: Tue, 17 Sep 1996 12:49:06 +0800
To: mac-crypto@thumper.vmeng.com
Subject: Re: Gaining trust in OCO crypto code
Message-ID: <ae63b0e900021004988f@DialupEudora>
MIME-Version: 1.0
Content-Type: text/plain


I agree with most of Bill's points. It is the right sort of analysis.

At 3:06 PM 9/12/96, Bill Frantz wrote:
....
>(2) Key generation.  There are published ways to encode an RSA secret key
>in the corresponding RSA public key.  A key generation algorithm which only
>uses 32 bits of the random number would be hard to detect, but easy to
>break by one who knew its secret.  You have to be able to examine in detail
>how keys are generated.

Actually if you generate 100,000 RSA keys with the algorithm the birthday
effect says that
you will have some collisions. Of course even 100,000 key generations takes
a long time.

....
>(1) Implementation of a cryptographic algorithm.  If we can feed it enough
>test cases, and compare the output with a public, well vetted
>implementation, we can come to believe that it is correct.

For some purposes. On the transmitting end if the enemy can choose the
plain text then a tested but bogus implementation can take special action
upon seeing a signal in the plain text stream. One such action would be to
merely shut down. On the receiving end a bogus implementation can detect a
signal inserted in the cipher text by the enemy and cause damage. I havn't
thought of any low visibility attacks but I suspect that there may be some.

If random number generation is specified not to be integral to RSA key
generation, then two or more untrusted programs, from mutually hostile
sources, can generate your RSA key if they yield the same output from the
same input. In paranoia situations I would rather trust my keyboard random
than an algorithm chosen by my enemy.








Thread