[Cryptography] RAM memories as one source of entropy

Jerry Leichter leichter at lrw.com
Thu Feb 13 18:51:29 EST 2014 

On Feb 10, 2014, at 5:12 AM, Joachim Strömbergson <Joachim at Strombergson.com> wrote:
>> That doesn't mean that there might not be other ways to get
>> interesting entropy from DRAM, just that is doesn't seem to be free
>> for the reading in recent hardware; you might have to do some
>> hardware engineering to do it, at which point there have got to be
>> better ways to add some entropy-yielding hardware to your design.... [Many papers cited.]
I've become very suspicious of all approaches like this.  They rely on details of current-generation technologies - often *side effects* of details of current technologies.  The problem is that technologies change very rapidly.  They actually sometimes change on time scales comparable to research completion/ publication delays!  And those changes can quickly render older work obsolete.

Peter Gutmann, by being out at the forefront, manages have his papers become prime examples of this effect.  We all know about his classic "35 patterns to wipe any disk" paper, which is still cited today to justify strategies used in disk-clearing programs - though it was based on detailed, careful research on technologies that have been obsolete for two decades.  (While I haven't come across such a thing yet, I fully expect to one day see an SSD-clearing program claim to use the "Gutmann's 35-pass algorithm".)

Similarly, you cite Gutmann's 2001 paper - which, again by careful and meticulous research - proved that what "everyone knew" - that DRAM would lose all its state within milliseconds of losing power - was wrong.  But in 2001 we would be talking 128M bit DDR memory chips at 2.4V, 100-200MHz with a feature size of around 130nm; today, we're talking 4Gbit DDR3 memory chips at 1V .8-1.6GHz, with a feature size of around 22nm.  The number of electrons used to store a single bit has come down from about several thousand total to under 500 total.  The construction technologies have changed radically.  The materials used have changed.

Yes, they are both "memory" in an abstract sense, but just about every significant detail of the physical realization is *completely* different.

Does this mean that current generations of RAM *don't* have remanence?  Of course not!  What it means is *we don't really know* - unless we go out there and *look*.  Gutmann's 2001 paper should inspire us to look at the chips we have today with some suspicion - but as a guide to the actual physical properties of modern DRAM chips, it's been obsolete for many years.

And what about tomorrow's chips and disks and SSD's?  Can you rely on measurements of incidental properties of today's versions to lead you into a secure future?  Absolutely not.

If you want *physical* randomness, you need to rely on basic physical principles.  Denker's work is one example; generators based on radioactive decay (*carefully* analyzed - there are traps for the unwary here) are another.  A bit of quick hacking with some chips you happen to have sitting on your desk just ain't gonna do it....
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140213/e6f6c4c5/attachment.bin>

More information about the cryptography mailing list