[Cryptography] Hard Truths about the Hard Business of finding Hard Random Numbers
John Denker
jsd at av8n.com
Thu Jan 30 21:26:29 EST 2014
On 01/30/2014 06:29 PM, John Kelsey wrote:
> There is a tradeoff between purpose-built crypto hardware, and
> off-the-shelf computers and devices pressed into service to do
> crypto. The purpose-built crypto hardware and software is a bigger
> target for very high end attackers, but it is also almost certain to
> be designed to be harder to tamper with in the field, and it's
> probably designed with security in mind to a far greater extent than
> general-purpose hardware and software. Worse, if some commonplace
> software or hardware component becomes the thing everyone bases their
> entropy collection on, that will become a tempting point for a
> targeted attack, but the sound card manufacturer or whatever won't
> think they're primarily building a security product.
>
> A dedicated crypto device can be designed to try to resist a lot of
> attacks that will pretty trivially compromise most off the shelf
> hardware and software devices, like side-channel attacks. It
> normally will be resistant to compromise by someone who takes over
> the computer it's installed in or connected to. It can have an
> entropy source that's purpose-designed and analyzed as an entropy
> source, reasonably resistant to intentional or accidental outside
> interference, etc. For whatever it's worth, it can also be tested by
> some organization that validates hardware crypto devices. Those
> validations all have problems, but they're probably better than no
> validation, which is the practical alternative.
Oh, you mean the way the current generation of electronic
voting machines were "validated" by "independent" testing
labs as required by law? It's a travesty.
https://www.google.com/search?q=%22voting+machine%22+vulnerabilities
What's to keep the TLA that subverted the design of the crypto
chip from subverting the validation procedure?
The only procedure I've heard of that makes any sense is based
on cut-and-choose.
-- Somebody makes a million sound cards, intended for the genuine
audio market.
-- I buy a bunch of them. I select a subset at random and tear
them down. Anything that does not conform to the sound-card
blueprint is disqualifying.
-- If I don't like what I see, I can return the whole batch to
the sound-card market ... which is something I could not do
with purpose-built crypto products.
-- No, I'm not panicked about side-channel attacks. The sound
card is already well shielded, for ordinary audiophile reasons.
There is no reason to think that the sound subsystem is more
vulnerable than the networking subsystem or the memory subsystem
or anything else. Furthermore I can deliberately transmit a
jamming signal that swamps whatever is leaking out of the sound
card, with orders of magnitude to spare.
-- Similarly I'm not panicked about incoming interference. The
soundcard is already well shielded, and furthermore any such
interference would be detectable long before it caused real
degradation, with orders of magnitude to spare. So the best
an attacker could hope for would be a preposterously expensive
denial-of-service attack that called attention to the attacker.
To be clear: At the moment I have not seen any off-the-shelf
soundcards with a validation I trust, but on the other hand
I haven't seen anything else I trust, be it purpose-built or
otherwise. So you can argue the comparison either way. It's
an indeterminate form, travesty divided by zero.
The same applies to software: Open-source software "could" be
reviewed by anyone, which is a lovely theory, but in practice
a lot of the stuff we rely on has never been subjected to
anything remotely resembling a rigorous code review. A thousand
cursory checks are nowhere near as useful as one thorough,
professional review.
Face it, the community has not learned to take security seriously.
There is a treeeeemendous seriousness gap, because the attackers
do take their job seriously. If we spent anywhere near as much
securing Android as They-Who-Shall-Not-Be-Named have spent
subverting it, the world would be a far different place.
More information about the cryptography
mailing list