chip-level randomness?
Bill Frantz
frantz at pwpconsult.com
Thu Sep 20 03:48:46 EDT 2001
At 2:17 PM -0700 9/19/01, Theodore Tso wrote:
>It turns out that with the Intel 810 RNG, it's even worse because
>there's no way to bypass the hardware "whitening" which the 810 chip
>uses. Hence, if the 810 random number generator fails, and starts
>sending something that's close to a pure 60 HZ sine wave to the
>whitening circuitry, it may be very difficult to detect that this has
>happened.
Does anyone know what algorithm the "whitening" uses? If you apply FIPS
140 to it's output, are you likely to catch the most common failure modes?
(All ones, All zeroes, line frequency dependances?)
Also when reseeding /dev/random, be careful to prevent continuation
attacks. Gather enough entropy in a private buffer before reseeding to
prevent someone who has compromised the state of /dev/random from being
able to calculate the new state by exhaustive search. (I would say 80+
bits would be enough.)
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | The principal effect of| Periwinkle -- Consulting
(408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave.
frantz at pwpconsult.com | fair use. | Los Gatos, CA 95032, USA
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list