On Wed, Feb 15, 2012 at 10:32 AM, Warren Smith <warren.wds@gmail.com> wrote:
Generating keys with a pseudorandom number generator, no matter how good, is absolutely 100% unacceptable. [...] The lesson here is: always assume the users/implementors of cryptography are beyond stupid, and will intentionally do the worst possible thing repeatedly thousands or millions of times.
Actually, the paper does a nice job pointing out the not-immediately-obvious benefit of a one-secret cryptographic system (e.g. Diffie-Hellman) over a two-secret system (e.g. RSA). Standard creation of RSA keys requires *two* secret primes, and if you share even one of those with another RSA public key, you end up insecure, and anyone can break your encryption. By contrast, something like Diffie-Hellman is based on a single secret, and if someone else happens to randomly generate the same secret as you, then you two would end up with the same public key -- but then only that other person would be able to break your encryption, not anyone in the world that noticed the duplication. So one lesson here is that RSA is particularly vulnerable to this kind of bad-implementation failure mode. I was really interested to see that there's a known RSA key-generation variant that makes it a single-secret process, as mentioned on p.4 of the paper: choose p such that q = [(2^(2k-1) + p - (2^(2k-1) mod p))/p] is also prime. These are believed to be just as secure as independent p,q keys, but avoid the share-one-of-two-secrets failure mode. This seems very clever to me. It's easy to run around screaming "Cryptography is hopeless because implementers are idiots!", and substantially more useful to say "Here's a standard that is more robust to the existence of bad implementations." --Michael -- Forewarned is worth an octopus in the bush.