Re: The Fortezza random number generator is not trustworthy
A nice addition to any Netscape RNG hacks is the comment that, while Netscape may have a bug in their RNG, it's detectable and fixable; the NSA may have a BUG in theirs, and only they'll know for sure...
Yes Fortezza cards can be instructed to produce a random number through one of its library calls (someday they'll have a real API). One of the diagnostic tools I had tested this function. What algorithm do they use? Haven't a clue. Sources say that the RNG implementation may vary from vendor to vendor (i.e., GTC, Spyrus, Mykotronix, etc.).
John Gilmore's comments on CAPSTONE, subliminal channels, and FOIA blackouts certainly add depth to this suspiciousness. I'd initially not been too worried about the Fortezza (besides the obvious Master Key problems) because the NSA is letting the military use them for Defense Messaging Service. However, if the RNG might be different for different vendors, the non-military versions may be using a weak RNG, which the NSA has a backdoor to. Alternatively, the RNGs may all be the same, but there may be an option that the military can use to get full-strength random numbers while the public, not knowing this, gets weakened ones (e.g. the first n bits of the RNG may be random, and the next N-n bits may be a strong hash, while there are N-n real random bits in another register if you ask for them nicely.) On a technical note, I would have thought that Fortezza and/or CAPSTONE used some sort of hardware RNG, i.e. noisy Zener diodes or whatever. I've seen it mentioned on this list that some other NSA secure phones, such as STU-III, do that. #--- # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #---
On a technical note, I would have thought that Fortezza and/or CAPSTONE used some sort of hardware RNG, i.e. noisy Zener diodes or whatever. I've seen it mentioned on this list that some other NSA secure phones, such as STU-III, do that.
I was under the impression that a seed for the RNG is loaded into the Fortezza at initialization time. This would make me think that they are using a cryptographically strong PRNG. This would give data that appears random, but is completely determined by the initial state. I suspect that the "seed keys" provided by the two agencies used to program the Clipper chips has the same properties. This makes the question about how does the NSA get access to the key escrow database moot. They don't need access. They know a priori all the unit keys.
Date: Tue, 26 Sep 1995 14:56:54 -0700 From: Eric Blossom <eb@comsec.com>
I was under the impression that a seed for the RNG is loaded into the Fortezza at initialization time. This would make me think that they are using a cryptographically strong PRNG. This would give data that appears random, but is completely determined by the initial state.
I suspect that the "seed keys" provided by the two agencies used to program the Clipper chips has the same properties. This makes the question about how does the NSA get access to the key escrow database moot. They don't need access. They know a priori all the unit keys.
My favorite Clipper master key generation algorithm, in the sacrificial laptop in the Mykotronix vault, is: \[ K(n) = H_1(R_1, R_2, n) = H_2( n ) \] where $H_2$ is a damned good one-way function, as highly classified as DERD's original description of the PRNG in the chip programming process indicated, $n$ is the chip's serial number, $R_1$ and $R_2$ are the ranno seeds provided by NIST and Treasury folks and $K(n)$ is the master key for chip n. - Carl +--------------------------------------------------------------------------+ |Carl M. Ellison cme@acm.org http://www.clark.net/pub/cme | |PGP: E0414C79B5AF36750217BC1A57386478 & 61E2DE7FCB9D7984E9C8048BA63221A2 | | ``Officer, officer, arrest that man! He's whistling a dirty song.'' | +---------------------------------------------- Jean Ellison (aka Mother) -+
participants (3)
-
Bill Stewart -
cme@acm.org -
Eric Blossom