[Cryptography] cheap sources of entropy
John Denker
jsd at av8n.com
Sun Feb 2 18:04:01 EST 2014
There's a medical proverb that says:
Suppose you're standing beside a racetrack in Kentucky.
If you hear hoofbeats, don't assume it's zebras.
It's probably just horses.
I mention that because on 02/02/2014 08:34 PM, John Gilmore wrote:
> So, if an attacker running malware in a hypervisor (or SMM) knew you
> were depending on disk drive timings for the random numbers that
> create your encryption keys, how easily could they attack you by
> rigidizing those interrupt timings, e.g. delaying your virtual machine
> interrupts at to the next even 1/60th of a second?
If a host system wanted to be malicious, it would not need
to do anything as zebra-like as messing with disk timing.
It could just snapshot the entire guest memory, including
codetext, plaintext, session keys, long-term keys, random
numbers, non-random numbers, recent keystrokes, and everything
else.
Forsooth, I suggest we use the other edge of that sword:
If you're going to be a VM guest at all, you should arrange
by contract for the host to provide you with entropy ... via
a virtual /dev/hrng device or some such.
At this point technical issue reduces to the somewhat simpler
case of finding a good source of entropy for the host. This
does not create any /new/ trust issues of any significance.
More information about the cryptography
mailing list