Can anyone guess why he calls the NSA “Clyde Frog”? Seems to be a reference to an inanimate stuffed animal on the South Park TV show, but there’s no mention of why the author wants a nickname, what this one connotes, or why it’s worth the distraction and obscurity.
Eh, “why” is explicitly stated on the right margin. “If I call NSA Clyde Frog long enough, eventually other people will too. Someone has to start the meme!”
If you want to predict the output of a broken (not) random number generator, you need to see a certain amount of its output. TLS only exposes a small amount of random output to an observer. There was a proposed extension to expose more.
Well, of course, given a particular RNG, you can always choose to not reveal any of that RNG’s output. For example, you could XOR the output with 0xAA bytes, although depending on how weak it is, that might not have a useful effect. It’s probably pretty safe to only reveal the HMAC of the RNG’s output using a secret key.
But the whole point of CSPRNGs is that you’re supposed to not have to do that.
Can anyone guess why he calls the NSA “Clyde Frog”? Seems to be a reference to an inanimate stuffed animal on the South Park TV show, but there’s no mention of why the author wants a nickname, what this one connotes, or why it’s worth the distraction and obscurity.
Eh, “why” is explicitly stated on the right margin. “If I call NSA Clyde Frog long enough, eventually other people will too. Someone has to start the meme!”
Let us not spread this useless meme.
This really is going way over my head. Is there an explain like I’m five style version of this?
If you want to predict the output of a broken (not) random number generator, you need to see a certain amount of its output. TLS only exposes a small amount of random output to an observer. There was a proposed extension to expose more.
Ah ok, I understand now. Thanks so much for explaining!
Its been a while since I looked at this, but I wonder if there is a way to reveal no RNG output?
Well, of course, given a particular RNG, you can always choose to not reveal any of that RNG’s output. For example, you could XOR the output with 0xAA bytes, although depending on how weak it is, that might not have a useful effect. It’s probably pretty safe to only reveal the HMAC of the RNG’s output using a secret key.
But the whole point of CSPRNGs is that you’re supposed to not have to do that.
A perhaps more interesting approach is to avoid using randomness as much as possible, reducing the risk from malicious RNGs.