CPRNGs are still an issue.

William Allen Simpson william.allen.simpson at gmail.com
Tue Dec 16 07:19:29 EST 2008 

Perry E. Metzger wrote:
[Snip admirably straightforward threat and requirements analysis]


> Yes, you can attempt to gather randomness at run time, but there are
> endless ways to screw that up -- can you *really* tell if your random
> numbers are "random enough?" -- and in a cheap device with low
> manufacturing tolerances, can you really rely on how consistent things
> like clock skew will be?
> 
Given the previous discussion on combining entropy, it shouldn't hurt, as
long as it's testable during manufacture.


> Lets contrast that with AES in counter mode with a really good factory
> installed key. It is trivial to validate that your code works
> correctly (and do please do that!) It is straightforward to build a
> device to generate a stream of good AES key at the factory, and you
> need only make sure that one piece of hardware is working correctly,
> rather than all the cheap pieces of hardware you're churning out.
> 
Ah, here's the rub.  I like this testing requirement.  The recent FreeBSD
Security Advisory was merely a simple failure of initialization -- yet
wasn't caught for the longest time, because it wasn't readily testable.


> One big issue might be that if you can't store the counter across
> device resets, you will need a new layer of indirection -- the obvious
> one is to generate a new AES key at boot, perhaps by CBCing the real
> time clock with the "permanent" AES key and use the new key in counter
> mode for that session.
> 
As long as the testing procedure validates the key and key+RTC separately.


> This does necessitate an extra manufacturing step in which the device
> gets "individualized", but you're setting the default password to a
> per-device string and having that taped to the top of the box anyway,
> right? If you're not, most of the boxes will be vulnerable anyway and
> there's no point...
> 
Recently, I was pleasantly surprised that the AT&T "U-verse" box had this!
Unlike the AT&T "2wire" boxes we were installing just this summer.

If we could only get Linksys, et alia on board....

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list