21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Discussion<br />

There are two common reasons why you may want to reseed a PRNG. First, your<br />

threat model may include the possibility of the internal state of your PRNG being<br />

compromised, and you want to prevent against an attacker’s being able to figure out<br />

numbers that were output before the state compromise. Reseeding, if done right,<br />

essentially transforms the internal state in a way that preserves entropy while making<br />

it essentially impossible to backtrack. Protecting against backtracking attacks can<br />

be done cheaply enough, so there is no excuse for not doing it.<br />

Second, you may want to add entropy into the state. This could serve a number of<br />

purposes. For example, you might want to add entropy to the system. Remember,<br />

however, that cryptographic generators have a maximum amount of entropy they<br />

can contain, so adding entropy to a generator state can look unnecessary.<br />

When available, however, reseeding with entropy is a good conservative measure, for<br />

several reasons. For one reason, if you have underestimated the amount of entropy<br />

that a generator has, adding entropy is a good thing. For another, if the generator has<br />

lost any entropy, new entropy can help replenish it. Such entropy loss is natural<br />

because cryptographic algorithms are not as good as their theoretical ideals. In addition,<br />

because we generally do not know the exact strength of our algorithms, it is<br />

hard to determine how quickly entropy gets lost. (Note, however, that if the algorithms<br />

are as strong as believed, it should be quite slowly.)<br />

While a generator based on AES or HMAC-SHA1, implemented as discussed in<br />

Recipe 11.5, probably never loses more than a miniscule amount of entropy before<br />

264 outputs, it is always good to be conservative and assume that it drains quickly,<br />

particularly if you have entropy to spare.<br />

When adding entropy to a system, it is best to collect a lot of entropy<br />

and seed all at once, instead of seeding a little bit at a time. We will<br />

illustrate why by example. Suppose you seed a generator with one bit<br />

of entropy. An attacker has only one bit to guess, which can be done<br />

accurately after two outputs. If the attacker completely compromises<br />

the state after two outputs, and we then add another bit of entropy, he<br />

can once again guess the state easily.<br />

If we add one bit 128 times, there is still very little security overall if<br />

the generator state is compromised. However, if you add 128 bits of<br />

entropy to the generator all at once, an attack should essentially be<br />

infeasible.<br />

The actions you should take to reseed a generator are different depending on<br />

whether you are actually adding entropy to the state of the generator or just trying to<br />

thwart a backtracking attack. However, the first step is the same in both cases.<br />

592 | Chapter 11: Random Numbers<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!