[Cryptography] cheap sources of entropy

John Denker jsd at av8n.com
Sun Feb 2 18:04:01 EST 2014

There's a medical proverb that says:
  Suppose you're standing beside a racetrack in Kentucky.
  If you hear hoofbeats, don't assume it's zebras.
  It's probably just horses.

I mention that because on 02/02/2014 08:34 PM, John Gilmore wrote:
> So, if an attacker running malware in a hypervisor (or SMM) knew you
> were depending on disk drive timings for the random numbers that
> create your encryption keys, how easily could they attack you by
> rigidizing those interrupt timings, e.g. delaying your virtual machine
> interrupts at to the next even 1/60th of a second?

If a host system wanted to be malicious, it would not need
to do anything as zebra-like as messing with disk timing.
It could just snapshot the entire guest memory, including
codetext, plaintext, session keys, long-term keys, random
numbers, non-random numbers, recent keystrokes, and everything

Forsooth, I suggest we use the other edge of that sword:
If you're going to be a VM guest at all, you should arrange
by contract for the host to provide you with entropy ... via
a virtual /dev/hrng device or some such.

At this point technical issue reduces to the somewhat simpler
case of finding a good source of entropy for the host.  This
does not create any /new/ trust issues of any significance.

More information about the cryptography mailing list