On Fri, Oct 25, 2013 at 08:12:00AM -0400, John Kelsey wrote:
This gets back to the threat model discussion. If your attacker is watching you from the outside as you generate your key, then interacting with stuff over the local net won't help you much. (You may get a bit or two of entropy from the attacker not being able to know exactly which clock-tick you were on when the interrupt was serviced, but not much.). If he's not watching you then, you can rule out a whole category of attackers.
Yes, absolutely. For example, if you assume that the attacker has network taps at Fort Meade and in a phone closets of companies like AT&T, they are very likely not going to be able to watch your LAN traffic. OTOH, if they have physical access to your LAN such that they can drop an agent close to your computer that can monitor all of the packets hitting your computer, we have to ask how are they doing this? If they can someone break into your local ethernet switch remotely, then you might be in a world of hurt (although usually switches generally don't have enough of general purpose CPU that this is likely). If you posit a "black bag" job where they physically break into your house, and replace your ethernet switch, then they could presumably place a keyboard bug on your keyboard, or otherwise physically tamper with your computer, install audio/video surveillance equipment in an HVAC duct, etc. --- and then you're either doing something really black hatish, or I have a tin foil hat to sell to you, or possibly both. :-) My challenge as someone who is designing things like a general purpose /dev/random is that it's challenging to determine which assumptions about the threat environment might make sense in a large set of hypothetical scenarios, and which do not. I can imagine scenarios where the adversary is on a public network --- say, at a University dorm network --- who might be able to watch interpacket network arrival times, but who probably can't make a lot of assumptions about HDD completion drive times --- and the user might want to generate a securely long-term public key for their ssh host key or for GPG. I'm less willing to accept as a valid threat model one where the adversary has near-total control over _all_ entropy sources, *and* can divine the state of the prng, but has no other access to the system so they can't break root in other ways, *and* where if you can't prove that you can make the prng secure again, it's somehow horrible and your rng is not robust (and that the authors of said paper should deserve lots of citations so they can get a suitably high impact score on their way to achieving tenure :-). But maybe there are scenarios where such a threat environment is actually realistic. I'm certainly willing to hear someone try to give me an example of such a threat environment; it would probably be quite educational. - Ted _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography