Use of TPM chip for RNG?
Travis H.
solinym at gmail.com
Mon Jul 3 13:24:44 EDT 2006
On 7/3/06, Leichter, Jerry <leichter_jerrold at emc.com> wrote:
> You're damned if you do and damned if you don't. Would you want to use a
> hardware RNG that was *not* inside a tamper-proof package - i.e., inside
> of a package that allows someone to tamper with it?
Yes. If someone has physical access to your equipment, they could
compromise it. On the other hand, if you have access to it, you can
establish a baseline and check it for changes. I recall the book
titled "Computer Security" by Carroll suggested taking polaroids of
all your equipment, and from each window, and other even more paranoid
things. As a non-sequitur, in the first edition, he had the following
wonderful quote on the dust jacket:
``Computer crime has become the "glamor crime" of the 1970s...''
Perhaps he was a bit ahead of his time.
> A "spiked" RNG of the kind you describe is at least somewhat fixable:
> Choose a fixed secret key and encrypt the output of the generator with
> the key before using it....
> ... nor do you have to fix it for good.)
Were you to periodically take the output of the generator and use it
as a new key, you would have something remarkably similar to the
fortuna and yarrow PRNGs. If you don't do something like that, you
have cycle lengths equal to your input's cycle length, which for the
designs we've been discussing, is fixed, so pretty easy to distinguish
from random (assuming you have access to enough output).
--
Resolve is what distinguishes a person who has failed from a failure.
Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list