[Cryptography] A TRNG review per day: Skipping EntropyKey

Bill Cox waywardgeek at gmail.com
Wed Dec 17 02:52:01 EST 2014


On Tue, Dec 16, 2014 at 12:39 AM, grarpamp <grarpamp at gmail.com> wrote:
>
> If one's goal is to objectively review keys, then one must review the
> keys without exception. Otherwise it throws cloud over things..
> Any selections and exceptions must all have followed the same metric,
> such as costing too much to procure for test, with pursuant requests
> for loaners for review all denied by the manufacturer. With any
> relationships
> disclosed or recused. "Respect" is subjective and not a valid reason,
> nor is "critical review" not a form of praise. Reviewers need to develop
> the goals, processes, test items, and policies of their reviews before
> engaging in them. Unless one's goal is to be subjective, a good review
> leaves that matter to the reader.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>

I see your point.  In that case, here's my thoughts on Entropy Key.  First,
it is a solid effort, with a lot of feedback from the Linux community that
went into it's design.  The fact that Entopy Key was out there dealing with
so many security concerns before the Snowden revelations shows a lot of
good insight by the Entropy Key developers.  However, we can do better.
Here's one decent FAQ about Entropy Key:

https://we.riseup.net/debian/entropy#audio-device-entropy

Here's the issue that bothers me most:

Q. How open is this device anyways?
A. The source to the firmware is not currently available from Simtec.  The
keys are epoxied and one-time programmable, which would make it impossible
to verify the source with the firmware if we did have it.

I don't understand how an effort like Entropy Key could get so far and then
fail on this point.  However, before Snowden, only seriously paranoid
tin-foil hat nerds worried about things like having the firmware
compromised.  Also, this effort pre-dates recent work showing how USB keys
can be used to PWN your system.  Epoxy may have seemed like a good solution
before hearing about how devices are sometimes intercepted in the mail and
modified.  With this knowledge, I have to agree with the OneRNG team that
the best solution is to be completely open and verifiable.  The lack of an
open schematic is also a problem.  Similar to the TrueRNG, Entropy Key
devices have two zener noise sources, which is a good thing.  However,
having two zener noise sources is not as strong as two completely different
kinds of entropy sources, as we have in OneRNG.  My preference here remains
using a single entropy source of higher quality than either zener or radio
noise, but zeners are the current standard.  Hopefully that will change.

Another issue I have with the Entropy Key is it's complexity, which is
quite harmful to cryptographic security.  The firmware takes on too much,
IMO, in terms of health monitoring, whitening, and then encrypting
communication with the host application.  The KISS rule applies far more in
crypto than elsewhere, since writing secure crypto code can be very
difficult.  I would prefer that these functions run on the host, and be
open-source, so many eyes could help verify it, and where a security patch
could be issued quickly if any problem is found.  Also, to support these
functions, a high-end microcontroller is required, making it a bit more
expensive.

While encrypting the Entropy Key output is cool, I think this added
complexity is not worth the risk.  Having a master key bothers me a bit, as
it is known by the user, the manufacturer, and possibly the MiB, since they
can easily force the manufacturer to hand over the master keys.  I see that
Entropy Keys are not currently in production, with no new production date
offered.  This is a bit mysterious, and with my tin-foil hat, I wonder if
perhaps they've been NSL-ed (national security letter), and forced to hand
over the master keys.  From what I can tell, the Entropy Key authors are
the kind of guys who would rather end production of a device than hand over
it's keys to the MiB.  If this were the case, they likely would be
restricted from even saying that they have ended production.  This could
explain the current bazaar status of Entropy Key production.  Have they
been NSL-ed?  How's that for paranoia :-)

Encrypting random data seems redundant to me, because such encryption
requires that the client already have a crypto-strength secret, from which
it could simply crank out as much key material as it needs with a CPRNG.
If an attacker learns this secret, he could predict the CPRNG output, but
he could also then decrypt the RNG data stream from the Entropy Key.
Exactly, what security is gained through this encryption?  I haven't
figured it out, yet.  IMO, all this complexity creates too many new avenues
of attack, and the code is closed-source.  Not good for security.

All this said, I think Entropy Key did an outstanding job overall, and they
blazed the trail followed by the likes of OneRNG.  I heard of it long
before OneRNG, and I wanted to buy one.  I'd own one now if it were still
in production.  However, it is time to move to a more open solution.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141217/43386514/attachment.html>


More information about the cryptography mailing list