[Cryptography] Techniques for malevolent crypto hardware

[Jerry Leichter]

On Sep 8, 2013, at 9:15 PM, Perry E. Metzger wrote:
>> I don't see the big worry about how hard it is to generate random 
>> numbers unless:
> 
> Lenstra, Heninger and others have both shown mass breaks of keys based
> on random number generator flaws in the field. Random number
> generators have been the source of a huge number of breaks over time.
> 
> Perhaps you don't see the big worry, but real world experience says
> it is something everyone else should worry about anyway.
Which brings into the light the question:  Just *why* have so many random number generators proved to be so weak.  If we knew the past trouble spots, we could try to avoid them, or at least pay special care to them during reviews, in the future.

I'm going entirely off of memory here and a better, more data-driven approach, might be worth doing, but I can think of three broad classes of root causes of past breaks:

1.  The designers just plain didn't understand the problem and used some obvious - and, in retrospect, obviously wrong - technique.  (For example, they didn't understand the concept of entropy and simply fed a low-entropy source into a whitener of some kind - often MD5 or SHA-1.  The result can *look* impressively random, but is cryptographically worthless.)

2.  The entropy available from the sources used was much less, at least in some circumstances (e.g., at startup) than the designers assumed.

3.  The code used in good random sources can look "strange" to programmers not familiar with it, and may even look buggy.  Sometimes good generators get ruined by later programmers who "clean up the code".

                                                        -- Jerry