[Cryptography] An alternative electro-mechanical entropy source (was 'We cannot trust' Intel and Via's chip-based crypto...)
Nico Williams
nico at cryptonector.com
Fri Dec 13 18:17:37 EST 2013
On Fri, Dec 13, 2013 at 10:59:17AM -0800, Steve Weis wrote:
> On Thu, Dec 12, 2013 at 3:44 AM, Arnold Reinhold <agr at me.com> wrote:
> > ...
>
> A few comments:
> 1. You aren't trusting the CPU to generate random numbers, but you're
> trusting the motherboard and chipset that your proposed RNG device is
> plugged into. You're also ultimately still trusting the CPU which is
> consuming those values.
I know this thread got campy and all, but, it's one thing to trust
RDRAND and use its outputs without any further post-processing[*], and
it's another to trust the rest of the CPU. It's true that one cannot
possibly fully test, say, 64-bit multiplication... but on the whole the
CPU has to implement deterministic operations reliably, and it's too far
down the stack to robustly implement the Ken Thompson attack[**][***].
So, yes, it is reasonable to trust a CPU but not its RNG.
The correct approach to RDRAND is to make it but one of several inputs
to a CSPRNG. That is should be so is so clear now (and, IIRC the
consensus, if one were to try to determine one, of the /dev/*random
robustness thread) that we really should stop retreading over this.
[*] Or with entirely deterministic post-processing, if that processing
is easy for the adversary to match.
[**] I've been reminded once that Thompson wasn't the first to think of
it, and he'd given credit. Still, you'll all understand when I
refer to it as the Ken Thompson attack.
[***] Unless, I suppose, the CPU has another small computed bolted on
that can operate independently of the CPU and which could flash
the CPU's microcode. "Hmmm".
> 2. How does a CPU authenticate that it's talking to a real, audited
> RNG device and not a spoofed device?
Physical security. It still matters. (I.e., tamper evident seals, et
cetera). You have to trust HW within some perimeter.
> 3. I think an accelerometer measuring vibrations could be influenced
> by the CPU fans, which can be influenced by attackers running userland
> processes.
As long as they can't influence it at high enough frequencies...
Accelerometers are a decent source of entropy for mobile devices, though
probably not all the time (might use too much battery, or the device
might be close enough to at-rest relative to the local gravity well for
an extended period of time).
> If you try to address these issues, I think you'll end up with
> something that looks like a TPM: a cheap device plugged into a bus
> with a slow RNG, persistent storage, & crypto functionality that is
> supposedly made by a trusted manufacturer.
Except hopefully using parts usually already found in every computer.
Like mic inputs (see turbid), or just plain interrupt jitter + cycle
counters / hi-res clocks. Plus a baked-in seed, plus a seed saved at
boot-/shutdown-time.
Nico
--
More information about the cryptography
mailing list