Use of TPM chip for RNG?

[Peter Gutmann]

hal at finney.org ("Hal Finney") writes:

>A few weeks ago I asked for information on using the increasingly prevalent
>built-in TPM chips in computers (especially laptops) as a random number
>source.

You have to be pretty careful here.  Most of the TPM chips are just rebadged
smart cards, and the RNGs on those are often rather dubious.  A standard
technique is to repeatedly encrypt some stored seed with an onboard block
cipher (e.g. DES) as your "RNG".  Beyond the obvious attacks (DES as a PRNG
isn't particularly strong) there are the usual paranoia concerns (how do we
know the manufacturer doesn't keep a log of the seed and key?) and stupidity
concerns (all devices use the same hardwired key, which some manufacturers
have done in the past).  There are also active attacks possible, e.g. request
values from the device until the EEPROM locks up, after which you get constant
"random" values.  Finally, some devices have badly-designed challenge-response
protocols that give you an infinite amount of RNG output to analyse, as well
as helping cycle the RNG to lockup.

So the only hardware RNG I'd trust is one of the noise-based ones on full-
scale crypto processors like the Broadcom or HiFn devices, or the Via x86's.
There are some smart-card vendors who've tried to replicate this type of
generator in a card form-factor device, but from what little technical info is
available about generators on smart cards it seems to be mostly smoke and
mirrors.

(As an extension of this, the lack of access to a TPM's RNG isn't really any
great loss.  If it's there, you can mix it opportunistically into your own
RNG, but I wouldn't rely on it).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com