Use of TPM chip for RNG?

Ben Laurie ben at algroup.co.uk
Tue Jul 4 18:55:24 EDT 2006 

Peter Gutmann wrote:
> hal at finney.org ("Hal Finney") writes:
> 
>> A few weeks ago I asked for information on using the increasingly prevalent
>> built-in TPM chips in computers (especially laptops) as a random number
>> source.
> 
> You have to be pretty careful here.  Most of the TPM chips are just rebadged
> smart cards, and the RNGs on those are often rather dubious.  A standard
> technique is to repeatedly encrypt some stored seed with an onboard block
> cipher (e.g. DES) as your "RNG".  Beyond the obvious attacks (DES as a PRNG
> isn't particularly strong) there are the usual paranoia concerns (how do we
> know the manufacturer doesn't keep a log of the seed and key?) and stupidity
> concerns (all devices use the same hardwired key, which some manufacturers
> have done in the past).  There are also active attacks possible, e.g. request
> values from the device until the EEPROM locks up, after which you get constant
> "random" values.  Finally, some devices have badly-designed challenge-response
> protocols that give you an infinite amount of RNG output to analyse, as well
> as helping cycle the RNG to lockup.

Glad to see some new information in a thread that is otherwise giving me
a huge sense of deja vu. So ... where are these rebadged smartcards
deployed? Who rebadges them?

> 
> So the only hardware RNG I'd trust is one of the noise-based ones on full-
> scale crypto processors like the Broadcom or HiFn devices, or the Via x86's.
> There are some smart-card vendors who've tried to replicate this type of
> generator in a card form-factor device, but from what little technical info is
> available about generators on smart cards it seems to be mostly smoke and
> mirrors.
> 
> (As an extension of this, the lack of access to a TPM's RNG isn't really any
> great loss.  If it's there, you can mix it opportunistically into your own
> RNG, but I wouldn't rely on it).

+1.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list