[Cryptography] /dev/random is not robust
Theodore Ts'o
tytso at mit.edu
Mon Nov 4 13:26:53 EST 2013
On Mon, Nov 04, 2013 at 12:39:16PM -0500, John Kelsey wrote:
> Yep. It seems like getting random secure starting seeds into
> devices would be a huge win here. Then they can combine that with
> whatever information they have locally, and initialize their RNG,
> and then generate their keypair.
If we have the random secure seed built into each device, it's
certainly better than nothing. But if we started building systems
that depended only on the secure seed, then how long would it take
before the NSA started leaning on manufacturers to make that "secure
random seed" be AES_ENCRYPT(NSA_KEY, DEVICE_SERIAL_NUMBER)?
I'd much rather try leaning on the ARM cpu vendors include a CPU cycle
counter, since it's much easier to audit that the CPU cycle counter is
doing what you think it is doing, and then you can use that to create
a better entropy-gathering RNG in the OS. (Having them add a hardware
RNG is also good, but that might require more silicon and validation
than simply adding a cycle counter register.)
- Ted
More information about the cryptography
mailing list