[Cryptography] Fwd: [IP] 'We cannot trust' Intel and Via's chip-based crypto, FreeBSD developers say
Arnold Reinhold
agr at me.com
Fri Dec 20 15:46:32 EST 2013
On Dec 19, 2013, at 12:04 PM, Stephan Mueller wrote:
> Am Donnerstag, 19. Dezember 2013, 07:56:36 schrieb Arnold Reinhold:
>
> Hi Arnold,
>
>
>> How do we safely initialize Yarrow or a another software RNG if the
>> CPU's hardware RNG is compromised and there is no other source of
>> entropy? This is a situation that is increasingly common in all
>> solid-state black box devices, and is especially tricky at first
>> startup, when keys used to manage such units are often generated.
>
> There are various implementations of RNGs that use CPU execution timing
> variations as noise source. That phenomenon is available right from the
> start of the CPU. In fact, the patch in my Jitter RNG [4] for the Linux
> /dev/random would fill the input_pool with entropy during initialization
> at system boot time, early in the boot cycle. This could be done for a
> Yarrow as well. I guess the other RNGs could be used in a similar
> fashion.
>
> So, there are noise sources which do not depend on some black box.
>
> [1] http://www.issihosts.com/haveged/
> [2] http://dankaminsky.com/2012/08/15/dakarand/
> [3] http://jytter.blogspot.se/
> [4] http://www.chronox.de/
>
>
> Ciao
> Stephan
Sandy Harris mentioned one more: ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/
I am not able to evaluate these RNG schemes that rely on uncertainties in CPU timing. They may well provide a solution, but I am not prepared to bet that people who can modify CPU innards, can't find a way to defeat them. In section 2.1 of your http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.html you point out some possibilities, but say that if an attacker has that much access to the CPU, they have other means of compromising your system. That may not be true. The beauty of a compromised CPU RNG is that it does not require any covert communication from the compromised system back to the attacker.
As others have said, a billion chip CPU is impossible to audit. Adding what I proposed, a key stretcher in the initialization chain of an OS RNG like Yarrow or /dev/random, is very simple to do and need only add a few seconds to first boot up. The best solution however is still an auditable source of randomness independent of the CPU.
Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131220/bc9490f2/attachment.html>
More information about the cryptography
mailing list