[Cryptography] /dev/random is not robust

Phillip Hallam-Baker hallam at gmail.com
Thu Oct 24 11:16:52 EDT 2013


On Thu, Oct 17, 2013 at 8:32 AM, Adam Back <adam at cypherspace.org> wrote:

> On Wed, Oct 16, 2013 at 10:12:14PM -0400, Theodore Ts'o wrote:
>
>> In the Linux Pseudo Random Number Generator Revisited paper
>> (http://eprint.iacr.org/2012/**251.pdf<http://eprint.iacr.org/2012/251.pdf>),
>> the authors sampled and
>> analyzed the various real-life entropy sources, and found the entropy
>> estimation to be pretty good, and if it erred, it erred on the side of
>> convervatism, which is as designed.
>>
>
> I think the more worrying case is a freshly imaged rack mount server,
> immediately generating keys or outputting random numbers to the network or
> in response to network queries.
>

+1

And I have not seen any proposal that is really going to solve this
particular problem in the thread since.

If I was asked three months ago my position would be 'generate the keys on
the device that is going to use them and they never leave unless it is a
really constrained device like a credit card.'

I have completely changed my mind on this. I now think public keys should
be generated in device adapted for that purpose and migrated out using some
form of secure protocol that ensures only the intended device can use them.


Further, the scheme used should provide the devices with a unique random
seed that can be used as a backstop against compromise or failure of other
RNGs. Using a stream cipher is not a very good RNG but nothing bad can
happen by XORing a good but brittle RNG against the output of a completely
independent cipherstream.

-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131024/839157fa/attachment.html>


More information about the cryptography mailing list