[Cryptography] randomness +- entropy

[Jerry Leichter]

On Nov 6, 2013, at 2:40 PM, John Denker wrote:
> Suppose we have something that boots from read-only media 
> -- booting repeatedly, unattended, with no HRNG, with no 
> hypervisor, with no non-volatile memory, and yet no air-gap.  
> This must be declared an unsound design.  Get a clue.  Get 
> some persistent memory, get a HRNG, get the hypervisor to 
> provide a seed, or whatever, so as to ensure that the PRNG 
> is up and running very, very early.
I don't know how many such systems are out there, but if there are such, they are likely old or very cheap embedded systems that it'll be tough to get software updates onto, and impossible to get new hardware onto.  Declaring them "unsound" may not make the go away.

In fact, though, I can think of one simple example:  A CD Linux image used precisely to conduct operations we want to keep secure.  For example, there's a suggestion that small businesses use exactly such a thing to do their on-line banking, as their usual systems are way too vulnerable to various kinds of malware (and small businesses have been subject to attacks that bankrupted them).  The CD itself can't carry a seed, as it will be re-used repeatedly.  It has to come up quickly, and on pretty much any hardware, to be useful.  You could probably get something like Turbid in there - but there are plenty of CD's around already that have little if anything.

Engineering, like politics, is often the art of the possible - and this is exactly a situation where we need to look for solutions that make the situation as much better as we can.  A request for a random seed on the LAN - whether through a DHCP extension, or in some other way - would at least protect against attackers not in a position to watch the local LAN.  Not ideal, but compared to what may be there now - nothing - a step forward.

                                                        -- Jerry