[Cryptography] [RNG] on RNGs, VM state, rollback, etc.

[John Kelsey]

We seem to be seeing a move toward commonly-used CPUs including hardware entropy sources.  With those, we're in a much better position.  There's always the possibility that the entropy source was cooked or flawed, but that's something you can engineer your way around reasonably well.  

Suppose you have a cryptographic PRNG that you initialize with a seed like this:

a.  Get 256 bits of entropy from the OS.
b.  Get 256 bits of entropy from the hardware entropy source.
c.  Ping several hosts on the internet and measure the response time, and fold that into your seed.
d.  Fold your ethernet address, IP address, and serial number into the seed.
e.  Fold the installed-at-birth secret 128 bit value from your device into the seed.

Initialize a PRNG with all that, and the attacker is in an extremely hard place, as he has to be able to guess all five elements.  (d) isn't all that hard to guess, but the rest will in general be very hard to guess.  

--John