Suppose a given random number generator has poor entropy, and is compressible by

Question

Suppose a given random number generator has poor entropy, and is compressible by any compression algorithm (zlib, bzip2, lzma, etc).

Specifically the issues with this RNG are:

- Bad entropy
- Bad seed size
- Failure to use multiple sources of entropy
- Reseeding only occurs once, at initialization, instead of at an interval. (less important than the issues mentioned above)

I'm asking this question so I can:

- ..estimate the loss of security created by bad entropy
-..understand what aspects of encryption would be affected, and what wouldn't be affected (hashing, encryption, signatures, etc)

Explanation / Answer

A secure random source is the most critical aspect of a security infrastructure. Without a proper entropy source you are lost. Hashing in principle is not affected but the private/public key pair which is used to encrypt the hash with is and therefore a digital signature can no longer be trusted. The biggest problem with random generators is that it's hard to detect whether a random generator is good or not. Something that might look random might actually not be random at all (for example the random generator bug in Debian in 2008 was not easilly detected). Since it's hard to detect problems with random generators it's also the most likely attack vector for any 3 letter organisations (look for example at Dual_EC_DRBG). If you want to be safe, it might help to use multiple random sources and xor them one after the other.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.