Use of TPM chip for RNG?
Ben Laurie
ben at algroup.co.uk
Tue Jul 4 18:55:24 EDT 2006
Peter Gutmann wrote:
> hal at finney.org ("Hal Finney") writes:
>
>> A few weeks ago I asked for information on using the increasingly prevalent
>> built-in TPM chips in computers (especially laptops) as a random number
>> source.
>
> You have to be pretty careful here. Most of the TPM chips are just rebadged
> smart cards, and the RNGs on those are often rather dubious. A standard
> technique is to repeatedly encrypt some stored seed with an onboard block
> cipher (e.g. DES) as your "RNG". Beyond the obvious attacks (DES as a PRNG
> isn't particularly strong) there are the usual paranoia concerns (how do we
> know the manufacturer doesn't keep a log of the seed and key?) and stupidity
> concerns (all devices use the same hardwired key, which some manufacturers
> have done in the past). There are also active attacks possible, e.g. request
> values from the device until the EEPROM locks up, after which you get constant
> "random" values. Finally, some devices have badly-designed challenge-response
> protocols that give you an infinite amount of RNG output to analyse, as well
> as helping cycle the RNG to lockup.
Glad to see some new information in a thread that is otherwise giving me
a huge sense of deja vu. So ... where are these rebadged smartcards
deployed? Who rebadges them?
>
> So the only hardware RNG I'd trust is one of the noise-based ones on full-
> scale crypto processors like the Broadcom or HiFn devices, or the Via x86's.
> There are some smart-card vendors who've tried to replicate this type of
> generator in a card form-factor device, but from what little technical info is
> available about generators on smart cards it seems to be mostly smoke and
> mirrors.
>
> (As an extension of this, the lack of access to a TPM's RNG isn't really any
> great loss. If it's there, you can mix it opportunistically into your own
> RNG, but I wouldn't rely on it).
+1.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list