chip-level randomness?

Thu Sep 20 21:06:33 EDT 2001

> >> It's not that stupid, as feeding the PRNG from i810_rng at the kernel
> >> level would be resource intensive,
> >
> > You only have to do it once at startup to get enough entropy in there.
>
>If your machine is left on for months or years the seed entropy would become
>a big target. If your PRNG status is compromised then all future uses of
>PRNG output are compromised, which means pretty much everything crypto.
>Other attacks on the PRNG become possible.

Using the Intel hardware RNG to seed /dev/random at startup
provides valuable help for some problems I've had under Linux.
I suspect other Unix-like systems have similar problems.
It should be done VERY early in the boot process,
just in case anything else needs randomness.

When you first boot a new machine, e.g. after installing a new
operating system or disk, the system tries to start the daemons
like sshd before there's been an opportunity for user input,
so there's no real randomness in /dev/random except for
a few bits from disk drive motion.  If the system realizes this,
some of those daemons may stall, which is much more annoying at boot;
if not, they'll start with inadequate entropy, which is very bad.

Some machines can get out of this by sampling /dev/audio,
but machines without sound cards can't do this.
Similarly, if the ethernet drivers have been started,
it's possible to get some entropy from the timing
as well as the content, though many people don't trust this,
and the cards may not always be present, especially on dialup machines.
But using the Inter chipset RNG if it's present takes care of the problem.

                 Bill Stewart

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com