[Cryptography] What's a Plausible Attack On Random Number Generation?
Yaron Sheffer
yaronf.ietf at gmail.com
Sun Nov 3 14:21:29 EST 2013
On 2013-11-03 17:22, Kent Borg wrote:
> On 11/01/2013 10:21 AM, Jerry Leichter wrote:
>> On Nov 1, 2013, at 7:04 AM, Yaron Sheffer <yaronf.ietf at gmail.com> wrote:
>>> It sounds like a quick addition to DHCP - an extension that gets you
>>> 256 bits from the server, would solve 99% of the problem we have with
>>> embedded devices. It will not be sufficient for high-security
>>> environments, because an attacker might be listening on the local
>>> LAN....
>> Ahem. This is *exactly* the kind of reasoning I started this thread
>> to investigate. (Though I certainly agree that a *single* DHCP packet
>> containing a random bit string is easily attacked.)
>
> I kind of like the idea of RNGs sharing data, if one is following the
> "more sources is safer"-approach, it seems it can't hurt. (Subliminal
> channel?? Other system consequences?)
>
> But there is an irony here: aren't most of the DHCP servers out there
> little embedded NAT boxes running in homes? RNGs at risk for not having
> much entropy shortly after boot...
>
> Just make sure you don't put all your eggs in any one entropy source...
>
> -kb, the Kent who used to callect entropy samples from Linux machines he
> encountered, but who eventually lost interest, as he wasn't actually
> doing anything with this data, just hoarding it.
>
"Most home routers are also DHCP clients, so we can recommend that they
request entropy before serving entropy to others" (Paul Hoffman, private
communication). In fact I haven't seen such home routers myself, I'm
used to PPPoE, but here's another idea:
Suppose I'm an (entropy) poor home router in an (entropy) poor home,
with just one desktop machine behind me. We could have the PC send some
random material in the DHCP *request*, and the router is free to mix it
into its very shallow entropy pool.
Thanks,
Yaron
More information about the cryptography
mailing list