[Cryptography] Techniques for malevolent crypto hardware

Kent Borg kentborg at borg.org
Sun Sep 8 20:34:55 EDT 2013

On 09/08/2013 06:16 PM, John Kelsey wrote:
> I don't think you can do anything useful in crypto without some good 
> source of random bits.

I don't see the big worry about how hard it is to generate random 
numbers unless:

  a) You need them super fast (because you are Google, trying to secure 
your very high-speed long lines), or

  b) You are some embedded device that is impoverished for both sources 
of entropy and non-volatile storage, and you need good random bits the 
moment you boot.

On everything in between, there are sources of entropy. Collect them, 
hash then together and use them to feed some good cryptography.  If you 
seem short of entropy, look for more in your hardware manual. Hash in 
any local unique information. Hash in everything you can find! (If the 
NSA knows every single bit you are hashing in, no harm, hash them in 
anyway, but...if the NSA has misunderestimated  any one of your 
bits...then you scored a bit! Repeat as necessary.)

I am thinking pure HW RNGs are more sinful than pure SW RNGs, because 
real world entropy is colored and hardware is the wrong place to fix 
that. So don't buy HW RNGs, buy HW entropy sources (or find them in your 
current HW) and feed them into a good hybrid RNG.

On a modern multi-GHz CPU the exact LSB of your highspeed system 
counters, when the interrupt hits your service routine, has uncertainty 
that is quite real once the you push the NSA a few centimeters from your 
CPU or SoC.  Just sit around until you have a few network packets and 
you can have some real entropy. Wait longer for more entropy.

In case you did notice, I am a fan of hybrid HW/SW RNGs.


P.S.  Entropy pools that are only saved on orderly shutdowns are risking 
crash-and-playback attacks. Save regularly, or something like that.

P.P.S. Don't try to estimate entropy, it is a fool's errand, get as much 
as you can (within reason) and feed it into some good cryptography.

P.P.P.S. Have an independent RNG? If it *is* independent, no harm in 
XORing it in.

More information about the cryptography mailing list