Cryptography Reference
In-Depth Information
Any of the
X
j
s may be used as an
IV
for DES modes of operation (see
page 135). The PRNs may also be employed for DES keys. On the other hand,
PGP employs two PRNGs, the ANSI X9.17/X9.31 generator and a function that
measures the entropy from the latency in the user's keystrokes (see Chapter 11).
However, PGP is not restricted to 3-DES, since it also has the option of using
IDEA or CAST-128 (see [2]and [3]and [159). In fact, it is a relatively easy
task to convert ASNI X9.17/X9.31 to the use of IDEA, for instance.
ANSI X9.17/X9.31 PGP Session Key and IV Generation
We will assume, for convenience, that PGP consists of the four components:
(1) the SKC, IDEA; (2) the PKC, RSA (see Section 4.2); (3) the hash MD5 (see
page 255); and (4) the PRNG, X9.17/X9.31 in conjunction with user keystroke
entropy information. The latter provides
true
random number generation for
the purpose of generating RSA pairs, and providing initial and subsequent input
to the PRNG. Once a
latency timer
,or
keystroke timer
, anticipates a keystroke
from a user, it records the time in 32-bit format and once the keystroke is
received, it records the time the key was pressed and the 8-bit value of the
keystroke. This time and keystroke data are used to generate a key, which is
used to encipher the current value of the random bit buffer. (PGP keeps a 256-
byte random bit buffer.) To ensure maximum entropy, the keystrokes should be
separated as randomly as possible.
The initial random bitstring from the latency timer is input as a 24-byte seed,
called
randseed.bin
, for the X9.17/X9.31 generator. The seed is then
washed
with an IDEA encryption in CFB mode. The IDEA key is an MD5 hash of the
plaintext message and a null IV. The outcome of the process is a 16-byte session
key and an 8-byte IV, together with a new seed for the next PRNG.
Analysis
PGP's PRNG is a cryptographically solid method for generating temporary
SKC keys, which has stood the test of peer review for some time. The seed
file, randseed.bin, is kept in a disk file that is reseeded by the generator for each
usage. Although randseed.bin should not be revealed, a cryptanalyst would have
extreme diGculty in obtaining pertinent data from it, if it were captured, since
it is “cryptographically washed” both before and after each use. The long-term
RSA key pairs are generated from the “truly random” entropy derived from the
keystroke latencies. Thus, the overall strength of the scheme is based on a firm
bedrock of iron-clad cryptography.
We now turn to a discussion of other PRNGs. One of the most popular,
introduced in 1986 (see [29]), is given in the following. We first need to set the
stage with some rather interesting integers.
Blum Integers
For the next algorithm, we need to refer to quadratic residues modulo a
given integer
n
, called a
Blum integer
, which is an integer
n
=
pq
, where
p
≡
q
3 (mod 4) are distinct primes. Since Blum integers have such interesting
properties, we list some here for the reader as a preparatory introduction.
≡
Search WWH ::
Custom Search