- From: Jeffrey Walton <noloader@gmail.com>
- Date: Wed, 29 May 2013 23:38:15 -0400
- To: Richard Barnes <rbarnes@bbn.com>
- Cc: WebCrypto Comments <public-webcrypto-comments@w3.org>
On Wed, May 29, 2013 at 11:27 PM, Richard Barnes <rbarnes@bbn.com> wrote:
>
> On May 29, 2013, at 11:20 PM, Jeffrey Walton <noloader@gmail.com> wrote:
>
>> On Wed, May 29, 2013 at 10:44 PM, Ryan Sleevi <sleevi@google.com> wrote:
>>>
>>> On May 29, 2013 7:22 PM, "Jeffrey Walton" <noloader@gmail.com> wrote:
>>>
>>>> ...
>>>> One of the things I try and teach my guys is that they must validate
>>>> cryptographic parameters; and they cannot apply a secret if validation
>>>> fails. Unvalidated keys could have flaws that allow for recovery of
>>>> the secret. For example, if an RSA public key does not validate, then
>>>> it should not be used to transport a secret.
>>>
>>> Define your threat model. Where do such keys come from. Why are they not
>>> trusted - and yet being used to transfer secrets? Seems a conflicting
>>> statement.
>> What I have in mind is (1) weak keys due to bad generators (Debian,
>> NetBSD, OpenSSL, etc) and (2) weak keys due to bad algorithms and/or
>> lack of validation. Not everyone uses hardware rngs to seed
>> /dev/{u}random, not everyone uses "well known" libraries for
>> generation (confer, the small percentage of non-standard public
>> exponents), and not everyone performs rigorous testing before
>> publishing their public keys.
>>
>
> What is the algorithm you have in mind for testing these properties? You're not really going to get good entropy measurement on a 16-byte key.
>
Symmetric key testing should probably be limited to weak keys. Trying
to test for entropy is usually futile since a broken generator seeded
with the null string looks random (cf,
https://lwn.net/Articles/525459/).
In the case of asymmetric keys, be have a number of tests that provide
varying levels of thoroughness.
Jeff
Received on Thursday, 30 May 2013 03:38:46 UTC