Via puts RNGs on new processors
John Kelsey
kelsey.j at ix.netcom.com
Wed Apr 9 23:57:07 EDT 2003
At 03:21 PM 4/9/03 +0000, David Wagner wrote:
>Ian Grigg wrote:
> >My world view would be that there is no such
> >thing as an acceptable off-the-shelf RNG.
>
>Why not? You rely on an off-the-shelf CPU, don't you?
>The CPU must be trusted just as much as the RNG.
It depends on what you're worried about, right? RNG failures can be pretty
subtle, and may be impossible to detect in software. If the RNG fails, it
might be nice to still get reasonable security.
Though it's not like it's easy to have unlimited faith in software-based
entropy collection processes, either....
More generally, malevolently altered CPUs make a different set of attacks
possible; they're more likely to either be interactive attacks, or to be
observable in the CPU's behavior. Like, if your CPU notices whenever a
3DES encryption is being done, and only does single-DES instead, it will be
easy to catch. If the CPU has some backdoor to get it into supervisor mode
whenever a certain 64-bit value appears on the memory bus, that's likely to
be useful for some attacks, but not for others. (It won't help you decrypt
a stored, encrypted file somewhere.)
--John Kelsey, kelsey.j at ix.netcom.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list