[Cryptography] Techniques for malevolent crypto hardware

Eugen Leitl eugen at leitl.org
Mon Sep 9 02:26:09 PDT 2013


----- Forwarded message from Kent Borg <kentborg at borg.org> -----

Date: Sun, 08 Sep 2013 20:34:55 -0400
From: Kent Borg <kentborg at borg.org>
To: cryptography at metzdowd.com
Subject: Re: [Cryptography] Techniques for malevolent crypto hardware
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8

On 09/08/2013 06:16 PM, John Kelsey wrote:
> I don't think you can do anything useful in crypto without some
> good source of random bits.

I don't see the big worry about how hard it is to generate random
numbers unless:

 a) You need them super fast (because you are Google, trying to secure
your very high-speed long lines), or

 b) You are some embedded device that is impoverished for both sources
of entropy and non-volatile storage, and you need good random bits the
moment you boot.

On everything in between, there are sources of entropy. Collect them,
hash then together and use them to feed some good cryptography.  If
you seem short of entropy, look for more in your hardware manual. Hash
in any local unique information. Hash in everything you can find! (If
the NSA knows every single bit you are hashing in, no harm, hash them
in anyway, but...if the NSA has misunderestimated  any one of your
bits...then you scored a bit! Repeat as necessary.)

I am thinking pure HW RNGs are more sinful than pure SW RNGs, because
real world entropy is colored and hardware is the wrong place to fix
that. So don't buy HW RNGs, buy HW entropy sources (or find them in
your current HW) and feed them into a good hybrid RNG.

On a modern multi-GHz CPU the exact LSB of your highspeed system
counters, when the interrupt hits your service routine, has
uncertainty that is quite real once the you push the NSA a few
centimeters from your CPU or SoC.  Just sit around until you have a
few network packets and you can have some real entropy. Wait longer
for more entropy.

In case you did notice, I am a fan of hybrid HW/SW RNGs.

-kb


P.S.  Entropy pools that are only saved on orderly shutdowns are
risking crash-and-playback attacks. Save regularly, or something like
that.

P.P.S. Don't try to estimate entropy, it is a fool's errand, get as
much as you can (within reason) and feed it into some good
cryptography.

P.P.P.S. Have an independent RNG? If it *is* independent, no harm in
XORing it in.
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the cypherpunks mailing list