[Cryptography] /dev/random is not robust

[John Kelsey]

On Nov 5, 2013, at 1:57 PM, John Denker <jsd at av8n.com> wrote:

> On 11/04/2013 10:39 AM, John Kelsey wrote:
...
>  Given that we don't want to be completely screwed, we MUST
>  ensure that the device has enough randomness onboard, so 
>  that it can generate secure session keys.
> 
>  This is an entirely /solvable/ chicken-and-egg problem.
>  Proper provisioning is a big part of the solution.  As
>  soon as you can establish a secure connection, you can
>  download tons of exogenous randomness.


Okay, but if you don't have some starting value that I don't know and can't guess, you can't establish a cryptographically secure connection with anyone to get them to send you random bits.      How do you establish a key I don't know with your randomness-providing TTP?  

If you have a single secret value I don't know and can't guess, you can use this as a PRNG seed, and as long as I don't compromise your state somehow, you can keep generating outputs that I can't distinguish from random for as long as you like.  

If you share a single secret value I don't know with some TTP, you can use this secret as an encryption and authentication key, and get the TTP to send you some randomness.  Then, if I observed the ciphertext from the TTP to you, your PRNG's security is exactly the same as if you just used that starting value as a PRNG seed.  

If I didn't observe the message from the TTP down to you, then no secure connection was needed.  The TTP could send you random bits in the clear, and that would be fine, because I wouldn't know them.  

--John