The Fortezza random number generator is not trustworthy
Yes Fortezza cards can be instructed to produce a random number through one of its library calls (someday they'll have a real API). One of the diagnostic tools I had tested this function. What algorithm do they use? Haven't a clue. Sources say that the RNG implementation may vary from vendor to vendor (i.e., GTC, Spyrus, Mykotronix, etc.).
A caution. I believe that CAPSTONE chips inside the Fortezza card are highly likely to have back doors in them, above and beyond the Clipper key escrow feature. In particular, the random number generator is probably compromised. Many of the top-secret NSA documents I have received under FOIA about Clipper say things like: "2. I briefed the Board on the CLIPPER and CAPSTONE chips and their capabilities and summarized the recommendations of the 19 November session: [TWO INCHES OF SOLID BLACKOUT] "3. The Policy Board reached consensus on the following points: [TWO LINES BLACKED OUT] a. NSA will provide for the availability from a vendor of a single chip which can be programed for law enforcement access exclusively through a key escrow "law enforcement exploitation field." The chip will have no trap doors or other methods of access. This chip is called CLIPPER. [THREE INCHES OF SOLID BLACKOUT] Note that they explicitly say "The chip will have no trap doors or other methods of access" when talking about Clipper, but all information about Capstone is blacked out. There's no such guarantee about Capstone. The Digital Signature Algorithm embedded in Capstone is the best "host algorithm" ever seen for subliminal channels. A subliminal channel is a means of communication which imparts information but cannot even be detected by third parties. By choosing numbers for DSA signatures that are not completely random, several subliminal channels are available, which can leak information as part of normal digital signatures. This subliminal information can only be read by someone who knows a secret about how the non-random numbers were generated. Gus Simmons, who did seminal work on subliminal channels while at Sandia Labs, wrote a Eurocrypt paper on this a year or two ago. The Capstone chip knows private things like your DSA private key, the last session key you loaded for Skipjack, etc. So it has info that is worth leaking to NSA wiretappers. Now the plot thickens. I submitted a FOIA request for all information the NSA had on subliminal channels. They responded that they had no information! We appealed and got the same answer. However, subliminal channels are clearly part of the crypto literature and knowledge base. They were a major concern when Gus designed nuclear test-ban verification crypto equipment in the '70s. The ONLY way NSA can legally claim to have no information on subliminal channels is if the MERE FACT OF THE EXISTENCE AT NSA of information on subliminal channels is classified. In other words, if their information ABOUT subliminal channels is classified, they can't say they have no documents; they have to say, e.g. "We have ten documents and they're all classified." If they have any documents, they can only legally claim to have no documents if just confirming the existence of the documents would itself reveal classified info. This is called "Glomarizing" and it's named for the Glomar Explorer, a ship which was secretly used for dredging up code books from sunken Soviet submarines. Merely confirming that records existed on the Glomar would have revealed classified information (i.e. that the government was involved; the cover story was that a private company was using it for deep-sea mining experiments). Apparently, merely confirming that NSA knows anything about subliminal channels would reveal classified information. If the mere existence of documents on subliminal channels is classified, it's probably because they are very actively and very secretly using them. And this tends to reinforce my perception that they are using them in Capstone, the heart of the Fortezza card. You're free to dismiss all this as paranoid rambling. However, if you use a Fortezza card to generate your random numbers, you have no way to determine how these numbers are being generated. Are they really random? How could you tell? Would you rather get "random" numbers from a classified NSA-designed chip that's part of a family designed to subvert your privacy? Or would you rather get them from a third-party product whose design you can actually verify? I'd prefer a random number generator where I can pull one "at random" from stock, take it apart, and verify that it really does what its designers say it does. John Gilmore
participants (1)
-
John Gilmore