[Cryptography] /dev/random is not robust

Alan Braggins alan.braggins at gmail.com
Tue Nov 5 05:13:41 EST 2013 

On 04/11/13 17:39, John Kelsey wrote:
> On Nov 3, 2013, at 5:27 PM, Alan Braggins <alan.braggins at gmail.com> wrote:
>> On 24 October 2013 16:16, Phillip Hallam-Baker <hallam at gmail.com> wrote:
> ...           [I hope I got the attribution right]
>>> If I was asked three months ago my position would be 'generate the keys on
>>> the device that is going to use them and they never leave unless it is a
>>> really constrained device like a credit card.'
>>>
>>> I have completely changed my mind on this. I now think public keys should be
>>> generated in device adapted for that purpose and migrated out using some
>>> form of secure protocol that ensures only the intended device can use them.
>>
>> Given that we're assuming the device can't reliably generate a secure key pair,
>> and assuming that it doesn't already have a secret specific to the device, what
>> protocols would be suitable for doing that?
>
> Yep, this is an unfixable problem.

That was my initial reaction, but I was hoping there was something I'd
missed.

It doesn't mean the approach is useless though. Even if you have a weak
session key (based on, say, clock time, a serial number, and a "secret"
shared by all devices of this class, input to a KDF), an attacker can
find the key, but not trivially, and they have to use it to attack
perhaps just one message where the long term private key is provisioned.

That's in some ways better than generating a weak long term
private key. (But maybe worse if it gives you a false sense of
security.)


> Now, if there is local traffic I can't intercept, your program can feed that into its RNG.
[...]
>> (And if we can ask a device to generate keys and securely migrate them to us,
>> we can ask it to generate some random seed material that isn't visible to an
>> attacker, which solves the problem of local generation.)
>
> Yep.  It seems like getting random secure starting seeds into devices would be a huge win here.  Then they can combine that with whatever information they have locally, and initialize their RNG, and then generate their keypair.

On the other hand, having one device with well-audited RNG with real
physical randomness, and well-audited key generation, provisioning lots
of products whose PRNGs you aren't too sure of even when seeded with
that un-intercepted local traffic, might have some value.

More information about the cryptography mailing list