chip-level randomness?

Bram Cohen bram at gawth.com
Wed Sep 19 18:43:38 EDT 2001 

On Wed, 19 Sep 2001, Theodore Tso wrote:

> One of the things which I've always been worried about with the 810
> hardware random number generators in general is how to protect against
> their failing silently. 

That certainly is a concern, although no more of a concern it is with the
even faultier hacked-up entropy collection techniques currently
used. Getting any entropy at all on a headless machine is a real problem.

> It turns out that with the Intel 810 RNG, it's even worse because
> there's no way to bypass the hardware "whitening" which the 810 chip
> uses.  Hence, if the 810 random number generator fails, and starts
> sending something that's close to a pure 60 HZ sine wave to the
> whitening circuitry, it may be very difficult to detect that this has
> happened.

That's very lame. It gets even more worrisome when you have computers
which are supercooled so you can overclock them...

Bias correction in hardware is pointless. It's run through an entropy
gathering device later on anyway, so as long as you have a *known* amount
of entropy per bit it's okay if it's not 1.

> So probably what makes sense is to make this be configurable.... and
> probably at run-time.

It should default to trusting the hardware RNG, and have the option of not
doing so be there for those who think they need it.

> However, I *do* want to preserve the original design goal of allowing
> the transfer of entropy from hardware random number generators to
> /dev/random to be controlled by a user-mode process, which can be
> arbitrarily paranoid about trying to do quality checks on the output
> of the hardware random number generator before feeding it to
> /dev/random. 

That's perfectly reasonable.

> However, given the use of /dev/urandom, being able to feed more
> possible randomness into the entropy pool, even if we don't bump the
> entropy estimator, can only be a good thing.

Does /dev/urandom block before it's gotten it's first seeding? It probably
should.

-Bram Cohen

"Markets can remain irrational longer than you can remain solvent"
                                        -- John Maynard Keynes




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list