Re: Cryptographically secure random number generation
Posted: Fri Mar 23, 2012 9:49 am
Of course. That's called distribution. Just omitted it for simplicity of speculations.
The Place to Start for Operating System Developers
https://f.osdev.org/
No, actually, he's right. A stream cipher really just boils down to a secure PRNG seeded with the key, and a secure PRNG can be created using a secure hash function. It's not as trivial as "the hash of the message is the ciphertext", which of course wouldn't be invertible, but it's trivial in the sense that you don't need to bring in any other crypto algorithms to make it work.Solar wrote:Which, unfortunately, is not true. (I'd like to see how you'd go about reconstructing a document from it's md5 hash.)Owen wrote:...every hash function can trivially be transformed into a cipher.
NO. I wrote about increasing the unpredictibility of random seeds by using radio noise too as data for hash algorithms. Never wrote 128 bit, did I? Read the document I linked.Solar wrote:You generate a 128bit seed by capturing radio noise.
...nothing. First, you cannot capture the same waves, so you'll be always guessing. Second, if by any chance you managed to guess the right combination, you would not know it, because you still do not know the other factors of the seed.Solar wrote:if I capture almost the same radio noise, that significantly reduces
NO. Which part did you not understand of "already installed" and "existing"? You have a strong random seed generator. And you have an infrastructure to receive waves (already built for other reasons, providing huge amount of noise data as a side-effect). Feeding the former with stream data from latter cost you nothing.Yoda wrote:To use it you need to build radio receiver
Never said so. What I said:Yoda wrote:The randomness doesn't depend on how large is you hash and how random it looks
The key part is, change it in a non-periodic way
Ok, I'm fed up, because you guys simply do not read.Other sources (the more the better) needed.
Maxim #2 of any forumer: Understand what the other person is saying before going balistic. If you're intentionally misunderstanding people, there's little we can do.turdus wrote:NO. I wrote about increasing the unpredictibility of random seeds by using radio noise too as data for hash algorithms. Never wrote 128 bit, did I? Read the document I linked.Solar wrote:You generate a 128bit seed by capturing radio noise.
Maxim #1 of any forumer: read, read, read.
You wrote that as a memo for you, did you?Solar wrote:Maxim #2 of any forumer: Understand what the other person is saying before going balistic. If you're intentionally misunderstanding people, there's little we can do.turdus wrote:NO. I wrote about increasing the unpredictibility of random seeds by using radio noise too as data for hash algorithms. Never wrote 128 bit, did I? Read the document I linked.Solar wrote:You generate a 128bit seed by capturing radio noise.
Maxim #1 of any forumer: read, read, read.
I think has a reasonably technical explanation.ACcurrent wrote:I believe VIA uses the difference in two clocks for RNG. Heres a rough over view http://www.via.com.tw/en/initiatives/pa ... nd_how.jsp.
In fact, Snuffle is an example of this - an extremely important example as it brought about the overturn of the US strong cryptography export laws.NickJohnson wrote:No, actually, he's right. A stream cipher really just boils down to a secure PRNG seeded with the key, and a secure PRNG can be created using a secure hash function. It's not as trivial as "the hash of the message is the ciphertext", which of course wouldn't be invertible, but it's trivial in the sense that you don't need to bring in any other crypto algorithms to make it work.Solar wrote:Which, unfortunately, is not true. (I'd like to see how you'd go about reconstructing a document from it's md5 hash.)Owen wrote:...every hash function can trivially be transformed into a cipher.
The security of the derived stream cipher is very much a function of how it is used; and the considerations are very much similar to those for a block cipher derived stream cipher. I see multiple flaws in your argument:Yoda wrote:Actually, he is neither right, nor wrong. Every hash algorithm may be used for building cipher, but this cipher will not be proof against whole set of attacks which classical block cipher (AES, for example) is proof. For example, if an attacker has original text and the encrypted one, in the case of AES he will not be able to modify the message so that after decription the recepient will get intentionally mangled text. But in the case of hash-based cipher he will be able to do this. Another issue is that this kind of cipher is extremely weak in successive usage of the same key. But in AES you may safely use same key [practically] unlimited number of times.
Of course NOT! There are many applications that doesn't require full implementation of message authenticity validation (as banking transactions) but still may become point of vulnerability. Spoofing of network packets in a large traffic is an example (remember an attack of Mitnick against Shimomura). Of course, potentially you can protect every packet by digital signature but this will result in an extremely large overhead in traffic and CPU resources.Owen wrote:You are using the cipher to guarantee message integrity...
This also results in further complication of algorithm and inventing the mechanisms of vectors synchronization. Remember that the original statement was "trivial conversion of hash to block cipher". But this conversion is neither trivial nor effective. You may even return to the roots of cryptography and state that One-time pad is absolutely reliable cipher but please consider the effectiveness first, before further arguing.Owen wrote:Many cryptosystems use an initialization vector; this precaution prevents exactly this kind of attack.
I don't like measuring everione's merits and regalia. I don't know you, you don't know me.Owen wrote:Your argument demonstrates exactly why people who are not cryptographers should not ever attempt... ... I'm sure you can gather that I'm quite versed in cryptosystems;
Did I say digital signature? No. I said Message Authentication Code; a completely different cryptographic primitive. But, in any case, ask any qualified cryptographer and they will tell you that evaluating encryption systems on the basis of their resilience to tampering is like evaluating types of bread on the basis of their tensile strength: almost meaninglessYoda wrote:Of course NOT! There are many applications that doesn't require full implementation of message authenticity validation (as banking transactions) but still may become point of vulnerability. Spoofing of network packets in a large traffic is an example (remember an attack of Mitnick against Shimomura). Of course, potentially you can protect every packet by digital signature but this will result in an extremely large overhead in traffic and CPU resources.Owen wrote:You are using the cipher to guarantee message integrity...
Observe that any effective mode of using a traditional block cipher (i.e. any mode which isn't ECB, which leaks so much information its use is almost futile) requires an IV or nonce, because otherwise for the first block of data the cipher leaks as much information as ECB would, and because it is often a good idea to make it impossible to determine whether two ciphertexts correspond to equal plaintexts. Also note that any channel which can carry the ciphertext can carry the IV - after all, the IV is just a non-secret random number.This also results in further complication of algorithm and inventing the mechanisms of vectors synchronization. Remember that the original statement was "trivial conversion of hash to block cipher". But this conversion is neither trivial nor effective. You may even return to the roots of cryptography and state that One-time pad is absolutely reliable cipher but please consider the effectiveness first, before further arguing.Owen wrote:Many cryptosystems use an initialization vector; this precaution prevents exactly this kind of attack.
Doesn't matter. Fast MAC algorithms (CBC-MAC, for example) are based on the intrinsic strength of block cipher against tampering, but MAC for this hash-derived cipher may be reliable only in case of applying the digital hash over the whole message - very consumptive algorithm.Owen wrote:Did I say digital signature? No. I said Message Authentication Code; a completely different cryptographic primitive.
Every qualified cryptographer will tell you that each cryptographical method has it's own set of characteristics and scope of usage. The strength against tampering is one of the most valuable quality of cipher. I pointed to one characteristic where hash-based cipher is not competitive against block cipher.Owen wrote:ask any qualified cryptographer and they will tell you that evaluating encryption systems on the basis of their resilience to tampering is ... almost meaningless
Again, you are trying to oblige cipher with properties wich are actually not necessary in many applications. For example, monitoring of critical hardware may not require that intruder will not be able to determine the identity of some packets. But it may require proof against tampering and decrypting plaintext.Owen wrote:Observe that any effective mode of using a traditional block cipher (i.e. any mode which isn't ECB, which leaks so much information its use is almost futile) requires an IV or nonce, because otherwise for the first block of data the cipher leaks as much information as ECB would, and because it is often a good idea to make it impossible to determine whether two ciphertexts correspond to equal plaintexts.Yoda wrote:But this conversion is neither trivial nor effective. ... but please consider the effectiveness first, before further arguing.
Nowhere did I say that the derived cipher would be used for the MAC - it would be far more efficient to return to the underlying hash function and use e.g. HMAC. In any case, CBC-MAC likewise requires the whole message be processed by itself (failure to use a different CBC-MAC key to the encryption key severely weakens it)Yoda wrote:Doesn't matter. Fast MAC algorithms (CBC-MAC, for example) are based on the intrinsic strength of block cipher against tampering, but MAC for this hash-derived cipher may be reliable only in case of applying the digital hash over the whole message - very consumptive algorithm.Owen wrote:Did I say digital signature? No. I said Message Authentication Code; a completely different cryptographic primitive.
Protection against tampering is a property offered by a message authentication code. A MAC can be constructed from a block cipher, but a cipher itself is not a method of preventing tampering. If you wish to argue otherwise, please cite your peer-reviewed source.Every qualified cryptographer will tell you that each cryptographical method has it's own set of characteristics and scope of usage. The strength against tampering is one of the most valuable quality of cipher. I pointed to one characteristic where hash-based cipher is not competitive against block cipher.Owen wrote:ask any qualified cryptographer and they will tell you that evaluating encryption systems on the basis of their resilience to tampering is ... almost meaningless
Prevention of tampering: Usage of a MACAgain, you are trying to oblige cipher with properties wich are actually not necessary in many applications. For example, monitoring of critical hardware may not require that intruder will not be able to determine the identity of some packets. But it may require proof against tampering and decrypting plaintext.Owen wrote:Observe that any effective mode of using a traditional block cipher (i.e. any mode which isn't ECB, which leaks so much information its use is almost futile) requires an IV or nonce, because otherwise for the first block of data the cipher leaks as much information as ECB would, and because it is often a good idea to make it impossible to determine whether two ciphertexts correspond to equal plaintexts.Yoda wrote:But this conversion is neither trivial nor effective. ... but please consider the effectiveness first, before further arguing.