CPRNGs are still an issue.
Jerry Leichter
leichter at lrw.com
Tue Dec 16 17:15:55 EST 2008
On Dec 16, 2008, at 12:10 PM, Simon Josefsson wrote:
> ...I agree with your recommendation to write an AES key to devices at
> manufacturing time. However it always comes with costs, including:
>
> 1) The cost of improving the manufacture process sufficiently well to
> make it unlikely that compromised AES keys are set in the factory.
>
> 2) The cost of individualizing each device.
>
> Each of these costs can be high enough that alternative approaches can
> be cost-effective. (*) My impression is that the cost and risks in 1)
> are often under-estimated, to the point where they can become a
> relatively cheap attack vector.
>
> /Simon
>
> (*) In case anyone doubts how the YubiKey works, which I'm affiliated
> with, we took the costs in 1) and 2). But they are large costs. We
> considered to require users to go through an initial configuration
> step
> to set the AES key themselves. However, the usability cost in that is
> probably higher than 1) and 2).
Configuration at installation seems to be worth considering. It's a
matter of making that as easy as possible. Asking users for the AES
key is not easy - people aren't good at generating, or even entering,
random 128-bit strings. However, you might be able to get them to
push a reset button - or even connect and disconnect the device - a
number of times and use the timing as a source of entropy. For
something like a network interface, it might be reasonable to assume
that an attacker is unlikely to be present at exactly the time of
initial configuration, so simply pulling bits off the wire/out of the
air during initialization isn't unreasonable. In general, given the
assumption that it's easier to keep the initialization environment
reasonably secure than it is the general fielded environment, and that
you can afford much more time during initial configuration than is
likely during normal operation, all kinds of things that are marginal
if used operationally may be workable for initial configuration.
(Also, of course, operational use may be unattended, but in most cases
you can assume that initial configuration is attended.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list