Re: VNC authentication weakness

[David Malone <dwmalone () maths tcd ie>]

On Mon, Jul 29, 2002 at 06:13:08PM +0000, daw () mozart cs berkeley edu wrote:
> On the other hand, the idea of combining many entropy sources using
> a cryptographic hash is a good one.  If this is used for cryptographic
> purposes, I'd just like to see some more reliably-unpredictable sources in
> there, if it were me.  However, maybe it's good enough for your purposes.
> I don't know.

> I collect online resources on how to generate cryptographic-quality
> unpredictable pseudorandomness.

The term "cryptographic-quality unpredictable pseudorandomness" is
probably much better than the term "entropy" when talking about
these issues (I note that you prefer the former). Some relatively
recent work has shown that "entropy" in the sense of "Shannon
entropy" may not be the idea measure for randomness for many uses.
I've listed a few papers which dip into this area below.

For example, the statement in the sci.crypt FAQ:

        We can measure how bad a key distribution is by calculating
        its entropy. This number E is the number of ``real bits of
        information'' of the key: a cryptanalyst will typically
        happen across the key within 2^E guesses. E is defined as
        the sum of -p_K log_2 p_K, where p_K is the probability of
        key K.

is actually wrong; 2^E may be an arbitrary large underestimate
of the expected number of guesses. (Thankfully, for those designing
crypto systems based on this assumption.)

The moral of the story is that it may pay to think about what you
are using your randomness for.

        David.

1) Guessing and Entropy, Massey, Proc. IEEE Int. Symp. on Info Th., 1994.
2) An Inequality on Guessing and its Application to Sequential Decoding, Arikan,
   IEEE Trans. on Info. Th., 1996.
3) Two Sided Bounds on Guessing Moments, Dragomir and Boztas, preprint, 1997.
4) The Disparity between Work and Entropy in Cryptology, Pliam, preprint, 1999.