Symmetric key generation

Question

Assume I have a source that generates symmetric keys. This source could be a very solid HSM device, somewhat reliable PRNG, a compromised key generator or a hardcoded value which returns the same byte sequence every time.

Thus, I am not sure if the key I receive is really trustworthy. So, what I plan to do is to generate another random key locally, and XOR these two.

My PRNG generator would be more reliable than a compromised system, but less reliable than a proper HSM device.

My question is, does "XOR'ing these keys" lower my security in any way? What if I have to add a couple more keys into the mix? Will XORing these remove the less than ideal security level of some keys (but not all) in the mix?

UPDATE Let me put it in another way: Assume I have a number of key generator sources and ideally all should generate secure keys. But there is always the possibility of some of these key generators are less than ideal security-wise.

This not-ideal condition could be because of a bug in the key generator (like the Debian case), it could be a backdoor placed by a 3rd party (NSA, Chinese Gov., North Korea, Your neighbour script kiddy,...), or a very different problem affecting the security level.

As long as I have at least one of the Key Generators generating "acceptably secure" keys, will XORing all of them reduce the level of security in any way?

My gut feeling is, since all keys are practically random sequence of bytes, XORing anything with a random sequence does not change the randomness. But I don't have anything to back this up.

So if you have anything supporting my gut feeling or against it, that would be great. If you don't, I also would like to hear your thoughts.

thank you

I'm having trouble understanding why you'd do that: why not simply generate safe keys in the first place ? — Stephane, Jun 03 '15 at 14:45
If the source returns a hardcoded value each time then XORing the two values will always return zero. Unless you're using a separate trusted source... in which case why not just use this trusted entropy source to begin with? — RoraΖ, Jun 03 '15 at 14:47
@raz He's re-generating new keys locally and XORing them with the external one. That's why I can't understand why he wants to go though all these hoops: at best, he's just making the whole thing more complex and, at worse, it might be weakening he key security. — Stephane, Jun 03 '15 at 14:56
@Stephane I think the idea is that you cannot confirm the strength of the key that was generated for you, so you want to make it more secure. The proposed idea is to XOR with a 2nd key under the assumption that the process will make a stronger 'composite' key. The question is, "is the assumption correct?" — schroeder, Jun 03 '15 at 16:20
@Stephane Because he has 2 sources and he doesn't know if source #1 is more secure than #2 or less secure. I do agree with this question, at the first glance it feels like best of both worlds. — Agent_L, Jun 03 '15 at 17:18
@Stephane, schroeder and Agent_L got it right. Please see my update. Thank you. — xycf7, Jun 03 '15 at 20:13
@raz, returning a hardcoded value was an extreme example. My point is, some of the key generators could be compromised. In this case, if I use the keys directly it would not be secure. But I have to include those keys into the process somehow, because the generators are certified and our product will be advertised as using "securely certified key generators" — xycf7, Jun 03 '15 at 20:18
See http://en.wikipedia.org/wiki/Entropy_(information_theory)#Further_properties for the math behind combining two sources of entropy. Knowing the value of Y doesn't influence your knowledge of X. H(X|Y)=H(X). — John Deters, Jun 03 '15 at 22:00

score 4 · Accepted Answer · answered Jun 03 '15 at 23:58

You are on solid ground with your basic XOR idea. XOR'ing multiple UNCORRELATED strings to reduce bias is one of a number of techniques that come under the general heading of "Software Whitening".

http://en.wikipedia.org/wiki/Hardware_random_number_generator#Software_whitening

(John Deters' wiki link was completely on-point; this one is just a bit more "applied".)

Using a cryptographically secure PRNG to create the material for XOR'ing is among the more reliable ways of guaranteeing a decorrelated removal of bias.

My pleasure. You're not the only one on the planet planning countermeasures against backdoors. :-) — Jonathan Braunhut, Jun 04 '15 at 02:12

score -3 · Answer 2 · answered Jun 04 '15 at 03:08

-3

Maybe you should use a Key Derivation function like PBKDF2 to generate the actual(final) key. http://en.wikipedia.org/wiki/PBKDF2#Key_derivation_process The key from unreliable source can be password to this function, with some random salt.

This would be cryptographically more secure than XORing two keys. Theoretically you could have collisions i.e. Two numbers XORing to get the same result.

answered Jun 04 '15 at 03:08

Prasad Chawak

1

"more secure than XORing" is just wrong. The goal was not to convert a password to a key, but generate the key itself from certain sources. – fr00tyl00p Jun 04 '15 at 09:05

Symmetric key generation

2 Answers2