Dirty Secrets of "noise based" RNGs

Thor Lancelot Simon tls at rek.tjls.com
Tue Jul 4 17:46:20 EDT 2006


On Mon, Jul 03, 2006 at 02:31:10PM +1200, Peter Gutmann wrote:
> 
> So the only hardware RNG I'd trust is one of the noise-based ones on full-
> scale crypto processors like the Broadcom or HiFn devices, or the Via x86's.
> There are some smart-card vendors who've tried to replicate this type of
> generator in a card form-factor device, but from what little technical info is
> available about generators on smart cards it seems to be mostly smoke and
> mirrors.

Do you actually know of publically available documentation on the design
and implementation of *any* of these "noise based" RNGs?  I have spent
some time looking, and I do not.

Here is what I do know:

1) There's one exception: Hifn documents the RNG used on their 65xx and
   can, upon request, provide documentation on exactly how the version
   on the common 79xx chips differs from this design.  They also provide
   a fairly good analysis (practical and theoretical) of the design's
   strength.

	BUT

2) Hifn used to make this documentation publically available but access
   to it now requires permission from Hifn sales -- it has been password
   protected on their public web site.  In other words, after years of
   design wins based on little but open-source friendliness (after all,
   Hifn's chips are no faster, often slower, than others', and notoriously
   buggy) they are now, at least on this issue, biting the hand that feeds
   them.

3) Broadcom makes no RNG documentation, much less analysis, publically
   available.  If you're using their RNG without NDA documentation that
   may or may not even exist, it's on a "trust us...really!" basis.

4) Neither does any other crypto vendor for whose products open-source
   drivers are available, AFAICT.

5) Some general-purpose CPU and motherboard chipset vendors include RNGs
   in their product.  Intel used to do so, and had a very good analysis
   of their product available.  But then they muddied the water by making
   it impossible to tell which chips had real RNGs on them and which just
   had junk registers sampling who knows what -- probably bus noise in
   some cases.  And they now call the RNG product "end of life".

   AMD has an RNG on their host chipset for Opteron, as they did on their
   last server chipset for Athlon MP.  But they do not document how it
   works nor provide any analysis of its strength.

   I have not had time to investigate the situation vis-a-vis VIA.  I am
   told it's somewhat better, but I was told the Broadcom stuff was
   trustworthy, too, and then I found out that the person who said so did
   not really have documentation either!

6) I have run into one implementation of an "RNG" on a crypto processor
   from a major vendor that is actually clearly, once one reads between
   the lines of its documentation, an X9.31 Deterministic RNG using the
   symmetric crypto functionality of the chip.  The vendor's documentation
   is silent as to what the actual entropy source is, and they *did not
   respond to a direct inquiry* on the subject.  This product is FIPS-140
   certified; but it was clearly designed *only* to pass certification,
   and for obvious reasons, you should not trust it!

   A good FIPS-140 test lab should follow the guidance from NIST that the
   input source to the D. RNG must not contain less entropy than the
   output.  But it is possible to sneak almost anything past a test lab
   if you're crafty about it and this vendor's refusal to disclose to a
   high-volume customer where the input bits come from is really scary.

These all add up to "vendors are doing things with their 'noise-based'
RNGs that should *really* scare you".  If you are specifying such a RNG
for deployment, and you have any leverage over the vendor who makes it,
I strongly urge you to make disclosure of how it works, including any
analysis they've done, a condition of your use of their product.  The
Intel and Hifn white papers are good examples of what *every* vendor
should be willing to publically disclose, if their RNG design does not
give them something to hide.

-- 
  Thor Lancelot Simon	                                     tls at rek.tjls.com

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."      - H.L.A. Hart

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list