[Cryptography] randomness +- entropy
Sandy Harris
sandyinchina at gmail.com
Thu Nov 7 13:07:52 EST 2013
Jerry Leichter <leichter at lrw.com> wrote:
> On Nov 6, 2013, at 2:40 PM, John Denker wrote:
>> Suppose we have something that boots from read-only media
>> -- booting repeatedly, unattended, with no HRNG, ...
> In fact, though, I can think of one simple example: A CD Linux image used precisely to conduct operations we want to keep secure. ... The CD itself can't carry a seed, as it will be re-used repeatedly. It has to come up quickly, and on pretty much any hardware, to be useful. You could probably get something like Turbid in there - but there are plenty of CD's around already that have little if anything.
As John says, the right solution in that case is almost certainly to
boot from USB instead so you can have some writable storage than can
hold a seed file between reboots. In other situations -- a Linux
smartphone or an embedded system with severe limitations -- none of
the known-good solutions may work. No on-board hardware RNG, no free
sound device for Turbid, no writable storage for a seed, ...
In those situations, it seems worth looking at RNGs based on various
sorts of timing jitter. At least two people on the list have written
something along those lines. My maxwell
(ftp://ftp.cs.sjtu.edu.cn:990/sandy/maxwell/) was specifically
designed for such limited systems. Stephan's jitter
(http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.html) and Havege
(http://www.irisa.fr/caps/projects/hipsor/) are more general. I am not
entirely convinced that these can be secure against an attacker with
enormous resources, but breaking them does not look anywhere close to
trivial.
More information about the cryptography
mailing list