[Cryptography] A TRNG review per day (week?): ATSHA204A has low entropy

Cox, Landon Landon.Cox at atmel.com
Mon Dec 8 19:52:52 EST 2014 

Thanks for posting, Bill.   You are correct, you should always update the seed between wake/sleep power cycles.

I wanted to respond to this further to bring some clarity.  Just to make sure we're all talking about the same thing, the part in question on the Hashlet is ATSHA204, not the ATSHA204A.

On the ATSHA204, the random seed must be updated within the power-cycle (wake to sleep).  The datasheet states that random seed update is needed for highest security.  This is excerpted from the ATSHA204 datasheet, section 8.6.12 Table 8-29, Mode 0 Nonce command:

"Automatically update EEPROM seed only if necessary prior to random number generation.  Recommended for highest security."  And Table 8-34, section 8.6.14, the Random command, says the same thing.  The ATSHA204A datasheet is likewise explicit about highest security random mode.

Updating the seed during the random command after the wakeup is the correct way to use it.  Like any security device, if you use it in a way it's not meant to be used, it can fail.  You must update the seed each power cycle (wake-sleep) on the ATSHA204 for proper operation.  The random number generation is implemented differently in the SHA204A and is not sensitive to this issue.  We recommend always updating the random seed for highest security in any case.

This operational principle also applies to the nonce command when not used in a pass-through mode.

The datasheet note about EEPROM wear of the random seed is easy to misinterpret.  If EEPROM is rated for 100,000 write cycles before there might be a single bit error, it's quite likely to be orders of magnitude more writes before a 1-bit retention error occurs.   There are 256 bits in a random seed, so it could be years of write wear after constantly changing the seed in back to back operations, before it would potentially wear to 128 bits of entropy.  Also, the seed is combined with an analog random noise source, so the seed is not the only random source.  Practically speaking, you'll never wear out the seed EEPROM, so always update the random seed after wake.

The ATSHA204 was end-of-life'd 5/16/14 and hasn't been recommended for new designs since then.  The part which superseded the ATSHA204 is ATSHA204A and this behavior has been eliminated entirely.  The ATSHA204A was available for samples 4/25/14 and has been available in production quantities since 7/1/14.   Last sale date of the ATSHA204 was 5/16/14.

The correct way to use the ATSHA204 or ATSHA204A random number generator is:

1)      Wake

2)      Random or Nonce Mode 0 (with seed update)

3)      Additional Random/Nonce Mode 0 commands

4)      Idle or sleep

The chip will know it doesn't need to update the seed at step 3, so passing Mode 0 in all cases is the recommended practice for highest security.

If you have any further questions, by all means contact us through Atmel support channels and we'll work to clarify any issues or answer questions about  the part.

Thanks again, Bill,

Landon Cox
Atmel Crypto App Engineer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141209/a6cebc90/attachment.html>

More information about the cryptography mailing list