CPRNGs are still an issue.

Jerry Leichter leichter at lrw.com
Tue Dec 16 17:15:55 EST 2008


On Dec 16, 2008, at 12:10 PM, Simon Josefsson wrote:
> ...I agree with your recommendation to write an AES key to devices at
> manufacturing time.  However it always comes with costs, including:
>
> 1) The cost of improving the manufacture process sufficiently well to
> make it unlikely that compromised AES keys are set in the factory.
>
> 2) The cost of individualizing each device.
>
> Each of these costs can be high enough that alternative approaches can
> be cost-effective. (*) My impression is that the cost and risks in 1)
> are often under-estimated, to the point where they can become a
> relatively cheap attack vector.
>
> /Simon
>
> (*) In case anyone doubts how the YubiKey works, which I'm affiliated
> with, we took the costs in 1) and 2).  But they are large costs.  We
> considered to require users to go through an initial configuration  
> step
> to set the AES key themselves.  However, the usability cost in that is
> probably higher than 1) and 2).
Configuration at installation seems to be worth considering.  It's a  
matter of making that as easy as possible.  Asking users for the AES  
key is not easy - people aren't good at generating, or even entering,  
random 128-bit strings.  However, you might be able to get them to  
push a reset button - or even connect and disconnect the device - a  
number of times and use the timing as a source of entropy.  For  
something like a network interface, it might be reasonable to assume  
that an attacker is unlikely to be present at exactly the time of  
initial configuration, so simply pulling bits off the wire/out of the  
air during initialization isn't unreasonable.  In general, given the  
assumption that it's easier to keep the initialization environment  
reasonably secure than it is the general fielded environment, and that  
you can afford much more time during initial configuration than is  
likely during normal operation, all kinds of things that are marginal  
if used operationally may be workable for initial configuration.   
(Also, of course, operational use may be unattended, but in most cases  
you can assume that initial configuration is attended.)
                                                         -- Jerry


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list