Use of TPM chip for RNG?
Jason Holt
jason at lunkwill.org
Thu Jun 29 23:37:36 EDT 2006
On Thu, 29 Jun 2006, "Hal Finney" wrote:
> A few weeks ago I asked for information on using the increasingly
> prevalent built-in TPM chips in computers (especially laptops) as a
> random number source. I got some good advice and want to summarize the
> information for the benefit of others.
Thanks for the useful summary! For the sake of completeness, let me also add
that RNGs in tamper-proof hardware are potentially rather controversial, since
there are several known ways to produce output which looks very random to
anyone who doesn't know some secret, but allows those who do to predict what
future outputs will be. I believe one straightforward way to do this would be
to simply use a symmetric encryption function outputting "random" data blocks
r_i=Encrypt(key, r_(i-1))
If you don't know the secret key, the output will look at least somewhat
random, but if you do, you can use any block to predict all subsequent and
prior ones. (This topic has been discussed in the literature, and my
off-the-cuff example may not be particularly strong.)
I believe it's a fair summary to say that hardware RNG is a neat and useful
feature, but may be unsuitable for the sufficiently paranoid when it comes in
a tamper-proof package.
-J
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list