CPRNGs are still an issue.
David G. Koontz
david_koontz at xtra.co.nz
Wed Dec 17 15:19:02 EST 2008
Charles Jackson wrote:
> I probably should not be commenting, not being a real device guy. But,
> variations in temperature and time could be expected to change SSD timing.
> Temperature changes will probably change the power supply voltages and shift
> some of the thresholds in the devices. Oscillators will drift with changes
> in temperature and voltage. Battery voltages tend to go down over time and
> up with temperature. In addition, in some systems the clock frequency is
> purposely swept over something like a 0.1% range in order to smooth out the
> RF emissions from the device. (This can give a 20 or 30 dB reduction in
> peak emissions at a given frequency. There is, of course, no change in
> total emissions.)
> Combine all of these factors, and one can envision the SSD cycles taking
> varying numbers of system clock ticks and consequently the low order bits of
> a counter driven by a system clock would be "random." However, one would
> have to test this kind of entropy source carefully and would have to keep
> track of any changes in the manufacturing processes for both the SSD and the
> processor chip.
> Is there anyone out there who knows about device timing that can say more?
As a chip wonk, without addressing SSD operational timing directly how much
a clock can change is dependent on the accuracy over a period of time
sufficient to be off by one or more clocks, implying long counter chain
timing - slow entropy accumulation at best. Worse still, the error value
when compared to an outside clock source would tend to be at a fixed rate,
although you see minor variations based on temperature and voltage. The
same things that make power analysis a valid attack also influence
temperature and voltage. I'd expect you could manipulate second order
effects by how the system is operated. Other than effects on frequency,
temperature and voltage affect switching thresholds which can cause
variability in delay in particular when crossing clock domains. These
threshold delays can be strongly correlated.
Dithered clocks are intended to only fool spectrum analyzers measuring peak
power and are not based on entropy or second order effects. A PLL feedback
pattern is typically masked by applying the output of a counter and look up
table or combinatoric circuit. There is no disparity generated long term in
clock high and low bauds, the counter makes the dithering periodic. Think
short PRNG cyclically applying clock edge offsets and hitting all the
positive and negative offsets equally.
The two don't strike me as sufficient to construct an adequate ergodic system.
Using a HDD as an 'entropy' source is based on operating an ergodic system
where the preceding state is not readily predictable. The variability is
based in part on sectors and cylinders, angular velocity, disk position and
head position. All that variability can collapse in an SSD. Trying to rely
on remaining secondary effects for loss of predictability could be countered
by eliminating or reducing them. We design systems to not be readily
influenced by secondary effects in the first place.
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography