[Cryptography] [RNG] on RNGs, VM state, rollback, etc.

[Watson Ladd]

On Wed, Oct 23, 2013 at 2:01 PM, Tony Naggs <tonynaggs at gmail.com> wrote:
> On 22 October 2013 05:17, Watson Ladd <watsonbladd at gmail.com> wrote:
>>
>> And with a wire that costs 25 cents connecting the wallwart to the
>> interrupt pin we've got 60 Hz (50 in Europe) uncorrelated to our local
>> clock. Measure the drift, and in 5 seconds we are done collecting 250
>> bits of entropy (one bit per interrupt).
>
> I think you a overestimating how much real entropy you will collect this
> way.
I'm actually horribly underestimating it, if you understand what the
source actually is.
It's not the frequency variations of the mains, but the phase
variation of our local clock.
>
>> 2^40 is not a lot for your colleges in Fort Mead. Imagine this is host
>> key generation on hosts on large, important, networks. Piddling with
>> the MAC key won't keep out anyone who seriously wants to get in.
>
> If you the adversaries you are concerned about are moderately resourced
> they could be able to model this entropy source.
>
> There are a relatively small number of CPU clock frequencies in wide
> use and variations on mains frequency are easily discoverable by others,
> e.g. other servers at your co-lo. Also, at least in the UK, there are public
> records of these variations such as;
> http://www.nationalgrid.com/uk/Electricity/Data/Realtime/Frequency/

That's not where the randomness is coming from. Let's assume that the
mains frequency is a precisely divided
down to 60 Hz, according to an atomic clock/optical clock, and let's
assume our clock is 60 MHz, not in a PLL with
the mains. Then each time we have an interrupt from the mains we
should have seen one million ticks of our local clock.
But thanks to the noise in our local oscillator, we won't always see
exactly one million. It's a selling point if the jitter is less
then one picosecond, which is one millionth of our frequency. Mirable
dictu, this is the last bit of the tick count.
Sincerely,
Watson Ladd