[Cryptography] [RNG] on RNGs, VM state, rollback, etc.

[Peter Todd]

On Mon, Oct 21, 2013 at 09:17:00PM -0700, Watson Ladd wrote:
> > Suppose the RNG hashes in a MAC address.  Immediately, the attacker has a worse life--now with the same amount of entropy, he must do a new 2^{40} search each time he encounters a new device with a public key.  It's like a salted password hash.
> And with a wire that costs 25 cents connecting the wallwart to the
> interrupt pin we've got 60 Hz (50 in Europe) uncorrelated to our local
> clock. Measure the drift, and in 5 seconds we are done collecting 250
> bits of entropy (one bit per interrupt).

That wire costs 25 cents; installing it costs orders of magnitude more
than that.

We have to work within fully commodity hardware like it or not.

> 2^40 is not a lot for your colleges in Fort Mead. Imagine this is host
> key generation on hosts on large, important, networks. Piddling with
> the MAC key won't keep out anyone who seriously wants to get in.

Fortunately usually they only kinda want to get in, because they've got
ten thousand other people they're trying to hack to expand their
budgets, er, I mean catch terrorists.  Also fortunately even the NSA has
a limited budget, and that doable 2^40 suddenly becomes a rather
expensive 2^80 if your target happens to have two network interfaces.

Attacks against software RNG's tend to be incredibly brittle. Just make
sure you don't accidentally make the MAC key be the only entropy the
system ever has - remember that you can't test a crypto-quality software
RNG for randomness after the fact.

-- 
'peter'[:-1]@petertodd.org
0000000000000007c786b8211bbccd325f1cdb5db7fb87b10b9cddf0e8edb69a
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131022/89a5ad67/attachment.pgp>