![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Key generation
2008-05-19 10:35Some people have suggested banning DSA keys because they are insecure when the random number generator used to seed them is poor (as recently happened in Debian's OpenSSL). This is a bit naive since RSA key generation is vulnerable to particular failure modes during key generation as well. Doubtless if the Debian vulnerablilty had struck one of those we'd now be seeing the reverse suggestion.
One of the big differences between military crypto and civilian crypto is the lack of suspicion in civilian crypto that the process has worked. Military crypto lives in fear of subversion of key generation (since, as we have seen, that exposes a complete crypto deployment) and extensively tests inputs and outputs. This paranoia not only catches subversion but implementation error as well. I hope this flaw encourages this suspicion of correct working to become commonplace in civilian crypto code.
Hopefully this fiasco will re-energise hardware manufacturers into providing hardware-based randomn number generation. The current scavenging across the operating system for any source of entropy isn't acceptable and is one of the root causes of this current flaw.