Dirty Secrets of "noise based" RNGs
Thor Lancelot Simon
tls at rek.tjls.com
Tue Jul 4 17:46:20 EDT 2006
On Mon, Jul 03, 2006 at 02:31:10PM +1200, Peter Gutmann wrote:
>
> So the only hardware RNG I'd trust is one of the noise-based ones on full-
> scale crypto processors like the Broadcom or HiFn devices, or the Via x86's.
> There are some smart-card vendors who've tried to replicate this type of
> generator in a card form-factor device, but from what little technical info is
> available about generators on smart cards it seems to be mostly smoke and
> mirrors.
Do you actually know of publically available documentation on the design
and implementation of *any* of these "noise based" RNGs? I have spent
some time looking, and I do not.
Here is what I do know:
1) There's one exception: Hifn documents the RNG used on their 65xx and
can, upon request, provide documentation on exactly how the version
on the common 79xx chips differs from this design. They also provide
a fairly good analysis (practical and theoretical) of the design's
strength.
BUT
2) Hifn used to make this documentation publically available but access
to it now requires permission from Hifn sales -- it has been password
protected on their public web site. In other words, after years of
design wins based on little but open-source friendliness (after all,
Hifn's chips are no faster, often slower, than others', and notoriously
buggy) they are now, at least on this issue, biting the hand that feeds
them.
3) Broadcom makes no RNG documentation, much less analysis, publically
available. If you're using their RNG without NDA documentation that
may or may not even exist, it's on a "trust us...really!" basis.
4) Neither does any other crypto vendor for whose products open-source
drivers are available, AFAICT.
5) Some general-purpose CPU and motherboard chipset vendors include RNGs
in their product. Intel used to do so, and had a very good analysis
of their product available. But then they muddied the water by making
it impossible to tell which chips had real RNGs on them and which just
had junk registers sampling who knows what -- probably bus noise in
some cases. And they now call the RNG product "end of life".
AMD has an RNG on their host chipset for Opteron, as they did on their
last server chipset for Athlon MP. But they do not document how it
works nor provide any analysis of its strength.
I have not had time to investigate the situation vis-a-vis VIA. I am
told it's somewhat better, but I was told the Broadcom stuff was
trustworthy, too, and then I found out that the person who said so did
not really have documentation either!
6) I have run into one implementation of an "RNG" on a crypto processor
from a major vendor that is actually clearly, once one reads between
the lines of its documentation, an X9.31 Deterministic RNG using the
symmetric crypto functionality of the chip. The vendor's documentation
is silent as to what the actual entropy source is, and they *did not
respond to a direct inquiry* on the subject. This product is FIPS-140
certified; but it was clearly designed *only* to pass certification,
and for obvious reasons, you should not trust it!
A good FIPS-140 test lab should follow the guidance from NIST that the
input source to the D. RNG must not contain less entropy than the
output. But it is possible to sneak almost anything past a test lab
if you're crafty about it and this vendor's refusal to disclose to a
high-volume customer where the input bits come from is really scary.
These all add up to "vendors are doing things with their 'noise-based'
RNGs that should *really* scare you". If you are specifying such a RNG
for deployment, and you have any leverage over the vendor who makes it,
I strongly urge you to make disclosure of how it works, including any
analysis they've done, a condition of your use of their product. The
Intel and Hifn white papers are good examples of what *every* vendor
should be willing to publically disclose, if their RNG design does not
give them something to hide.
--
Thor Lancelot Simon tls at rek.tjls.com
"We cannot usually in social life pursue a single value or a single moral
aim, untroubled by the need to compromise with others." - H.L.A. Hart
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list