[Cryptography] cheap sources of entropy

[Thierry Moreau]

James A. Donald wrote:
> On 2014-01-29 10:40, Ben Laurie wrote:
>> Unfortunately, though, in low entropy systems it takes a _really_ long
>> time to reach an uncompromised state in the first place.
> 
> I don't think there are any low entropy systems.

Indeed there are no low entropy environments. However, the very mission 
of a digital system is to methodically provide tidiness out of a mostly 
chaotic environment.

> 
> You don't need entropy in a hurry unless you are on the network.  If on 
> the network, attacker cannot know everything about ever packet unless he 
> has physical access.  Hard drive generates a lot of entropy, timing skew 
> generates a lot of entropy, and any physical sensor, such as camera or 
> microphone, generates lots of entropy.

The problem with these precise measurements (low bits of precise event 
timing or physical phenomenon measurements) is that there is no known 
usage except as a source of entropy. Then a reasonable system design 
might find no justification for preserving these "useless bits" and drop 
them early in the acquisition chain (truncation, filtering, hysteresis 
algorithm). Such design approach would be even preferable for processing 
determinism, memory efficiency, easier system validation (less "useless 
bits"-dependent bugs).

Plus obviously that these precise measurements are system specific and 
not part of a vendor commitment with respect to minimal specifications 
(e.g. an ambient temperature measurement needs no greater precision than 
one degree, so the 0.01 fractional degree happens to exhibit jitter in 
one system production batch and turns constant in the next one).

There are no economic incentives for a low-cost manufacturer to commit 
to provide a "trusted" source of entropy. Intel did something and now 
their design is suspected of back-door by (a portion of) the very 
community that requested something to be done.

Somehow this discussion tends to run into circles.

-- 
- Thierry Moreau