[Cryptography] cheap sources of entropy

[John Kelsey]

The problem of using hard drives for entropy is one that I think demonstrates a lot of the ways entropy collection from general purpose stuff tends to go wrong.  Here's the pattern:

a.  Someone does a careful, in-depth analysis of the behavior of some component of general-purpose machines, like trying to really quantify the unpredictability in read times and trace it back to air turbulence inside the drive.  

b.  People start using this analysis to estimate entropy.  (Or more honestly, they use it to assert enough entropy exists, since if it doesn't, they've got a pain-in-the-ass design problem they don't want.)  

c.  Over time and across devices, the reality on which the original analysis was based is radically changed.  Some machines have networked drives.  Some have flash drives.  The drive hardware gets smarter, with bigger caches and more layers of caching.  The OS changes its behavior in ways that change everything.  And so on.  

d.  Code developed and even tested for one environment run on some new environment, and don't get any entropy.  The software now getting insufficient entropy never even detects that this is the case.  And we get a bunch of keys with 16 bits of entropy in them. 

I think this is going to be the problem as long as we're counting on general-purpose devices to give us entropy.  Any analysis we do is only valid on the hardware and OS that we do it on, and yet it needs to be used (and will be used) in many very different environments.  It's one reason why I think dedicated hardware entropy sources like Intel and AMD are putting into their chips are a huge step in the right direction.  

--John