[Cryptography] Techniques for malevolent crypto hardware
kentborg at borg.org
Sun Sep 8 20:34:55 EDT 2013
On 09/08/2013 06:16 PM, John Kelsey wrote:
> I don't think you can do anything useful in crypto without some good
> source of random bits.
I don't see the big worry about how hard it is to generate random
a) You need them super fast (because you are Google, trying to secure
your very high-speed long lines), or
b) You are some embedded device that is impoverished for both sources
of entropy and non-volatile storage, and you need good random bits the
moment you boot.
On everything in between, there are sources of entropy. Collect them,
hash then together and use them to feed some good cryptography. If you
seem short of entropy, look for more in your hardware manual. Hash in
any local unique information. Hash in everything you can find! (If the
NSA knows every single bit you are hashing in, no harm, hash them in
anyway, but...if the NSA has misunderestimated any one of your
bits...then you scored a bit! Repeat as necessary.)
I am thinking pure HW RNGs are more sinful than pure SW RNGs, because
real world entropy is colored and hardware is the wrong place to fix
that. So don't buy HW RNGs, buy HW entropy sources (or find them in your
current HW) and feed them into a good hybrid RNG.
On a modern multi-GHz CPU the exact LSB of your highspeed system
counters, when the interrupt hits your service routine, has uncertainty
that is quite real once the you push the NSA a few centimeters from your
CPU or SoC. Just sit around until you have a few network packets and
you can have some real entropy. Wait longer for more entropy.
In case you did notice, I am a fan of hybrid HW/SW RNGs.
P.S. Entropy pools that are only saved on orderly shutdowns are risking
crash-and-playback attacks. Save regularly, or something like that.
P.P.S. Don't try to estimate entropy, it is a fool's errand, get as much
as you can (within reason) and feed it into some good cryptography.
P.P.P.S. Have an independent RNG? If it *is* independent, no harm in
XORing it in.
More information about the cryptography