Via puts RNGs on new processors

Ian Grigg iang at systemics.com
Wed Apr 9 14:43:02 EDT 2003 

David Wagner wrote:
> 
> Ian Grigg  wrote:
> >My world view would be that there is no such
> >thing as an acceptable off-the-shelf RNG.
> 
> Why not?  You rely on an off-the-shelf CPU, don't you?
> The CPU must be trusted just as much as the RNG.

I think the attack type is a lot harder.  That is,
attacking via the CPU involves a deep understanding
of what the code is going to be doing, and avoiding
any artifacts, as a squillion OS and application
instructions run before the special target pops
up.

Attacking a RNG is simpler, as Arnold R. just
pointed out.  It is hard for an independant test
to determine if a sequence is random, or is a
PRNG with a seed known by someone else.

> Do you worry about this for your CPU?  If not, why should
> the RNG component of your CPU be any different?

I "worry" only mildly about this for the CPU.
Switching our threat level up to 11, allegedly
there are special regions on Intel CPUs for
unstated special operations for unstated
special customers.  But, I can't quite see
how it is that, even if an attacker has
control of that, he is going to be able to
successfully futz with the your process.

It seems that as a minimum, he would have to have
a complete set of the binary instructions.  So as
to be able to target the attack.

Then, he would still need to leak information
somehow.  That is, he steals your key, and hides
it in the secret spot.  What is he going to do
then?  He then either requires a transmitter
of some form, or an ability to piggy back on some
other thing like an IP packet, or some sort of
special black bag job whereby the spook comes in
and sticks the special probe over the CPU pins
to extract the spoils.

That all seems like a very high cost attack.  In
contrast, a specially seeded RNG can be attacked
at leisure, just by looking at the actual work
product, which is presumably available.

(Mind you, if he had both a seeded RNG and the
CPU with "special ops" in, then he might have
all he needs :-)

Of course, all this is well into the paranoi level.
In practice, there are easy defences for both
attacks;  purchasing components randomly, and
random mixers.

(Of course, the real reason that we worry about
this issue is not that there is some nasty attacker
out there, but if the single sourced RNG breaks
and starts spitting out zeroes or some equally
poor output.  From an engineering perspective,
simply testing is insufficient;   mixing followed
by occasional testing is far superior because it
reduces the problem to a statistical issue.  In
comparison, for the CPU, breakage is detectable
in other ways.)

-- 
iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list