[Cryptography] [RNG] on RNGs, VM state, rollback, etc.

Theodore Ts'o tytso at mit.edu
Sun Oct 27 01:15:36 PDT 2013 

On Fri, Oct 25, 2013 at 08:12:00AM -0400, John Kelsey wrote:
> This gets back to the threat model discussion.  If your attacker is
> watching you from the outside as you generate your key, then
> interacting with stuff over the local net won't help you much.  (You
> may get a bit or two of entropy from the attacker not being able to
> know exactly which clock-tick you were on when the interrupt was
> serviced, but not much.). If he's not watching you then, you can
> rule out a whole category of attackers.

Yes, absolutely.  For example, if you assume that the attacker has
network taps at Fort Meade and in a phone closets of companies like
AT&T, they are very likely not going to be able to watch your LAN
traffic.  OTOH, if they have physical access to your LAN such that
they can drop an agent close to your computer that can monitor all of
the packets hitting your computer, we have to ask how are they doing
this?  If they can someone break into your local ethernet switch
remotely, then you might be in a world of hurt (although usually
switches generally don't have enough of general purpose CPU that this
is likely).

If you posit a "black bag" job where they physically break into your
house, and replace your ethernet switch, then they could presumably
place a keyboard bug on your keyboard, or otherwise physically tamper
with your computer, install audio/video surveillance equipment in an
HVAC duct, etc. --- and then you're either doing something really
black hatish, or I have a tin foil hat to sell to you, or possibly
both.  :-)

My challenge as someone who is designing things like a general purpose
/dev/random is that it's challenging to determine which assumptions
about the threat environment might make sense in a large set of
hypothetical scenarios, and which do not.  I can imagine scenarios
where the adversary is on a public network --- say, at a University
dorm network --- who might be able to watch interpacket network
arrival times, but who probably can't make a lot of assumptions about
HDD completion drive times --- and the user might want to generate a
securely long-term public key for their ssh host key or for GPG.

I'm less willing to accept as a valid threat model one where the
adversary has near-total control over _all_ entropy sources, *and* can
divine the state of the prng, but has no other access to the system so
they can't break root in other ways, *and* where if you can't prove
that you can make the prng secure again, it's somehow horrible and
your rng is not robust (and that the authors of said paper should
deserve lots of citations so they can get a suitably high impact score
on their way to achieving tenure :-).

But maybe there are scenarios where such a threat environment is
actually realistic.  I'm certainly willing to hear someone try to give
me an example of such a threat environment; it would probably be quite
educational.

						- Ted
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cypherpunks mailing list