|
|
|
|
|
|
by schoen
3316 days ago
|
|
|
Per our previous discussion, you should probably add hash and KDF issues to this list. I also find supercomputers relevant to PRNGs, both on the overall PRNG security front and on the inadequate seeding front. Since CSPRNGs are not designed to be slow to calculate, supercomputers can be used to attack key generation from inadequate seeding, given some useful model of what the effective space of seeds could have been. For instance, there are probably still many embedded systems that are initializing without anything that is reasonably called "environmental noise", and their state space is dangerously small, yet maybe still challenging for most organizations to search, depending on exactly what they initialized it with. |
|
|
Of course (not that you disagree), if you have this problem, you have it with or without NSA supercomputers!
I don't think CryptGenRandom or urandom on general-purpose computers is a viable target for this, though, regardless of how "fast" the CSPRNG is.