[Cryptography] Entropy Attacks!

Arnold Reinhold agr at me.com
Fri Feb 21 16:30:47 EST 2014

Sent from my iPhone

On Feb 21, 2014, at 12:56 AM, John Kelsey <crypto.jmk at gmail.com> wrote:

> [I'm responding to a somewhat old message, because I think this is an interesting idea worth thinking more about]
> On Feb 9, 2014, at 3:36 PM, Arnold Reinhold <agr at me.com> wrote:
>> D. J. Bernstein has proposed an attack..,
> ...
>> While placing a key stretcher in the RNG chain may seem overkill to just thwart the Bernstein entropy combiner attack, an attack which demands somewhat far fetched preconditions, using a key stretching hash can also mitigate the type of attack proposed by Georg T. Becker. et. al. (Stealthy Dopant-Level Hardware Trojans http://people.umass.edu/gbecker/BeckerChes13.pdf ) An attacker using the Becker technique will reduce the effective state space of the RNG being cooked. The cooked state space must be small enough to allow a brute force search of possible RNG states, but not so small as to risk detection. Applying a high work factor key stretcher to the output of a Beckerized RNG would make the state space search far more expensive and possibly force the attacker to shrink the effective state space enough to allow detection.
> Yes, this is a variant of the entropy guessing attack.  
> The obvious problem with making initializing the RNG computationally expensive is that people really don't like waiting for their RNG to be ready to generate random bits.  (Note the pressure *not* to make /dev/urandom block when it doesn't have enough input entropy.  For that matter, note the use of /dev/urandom for crypto products and libraries that should know better.)  
> I wonder if you might even make some RNGs worse, in practice, by doing this.  If my system has to have a working RNG ten seconds after startup, I can either:
> a.  Collect entropy for 10 seconds and seed my RNG.
> b.  Collect entropy for 10-T seconds and then run my key stretching algorithm for T seconds.
> Suppose we are getting 8 bits of entropy per second, and I set T=5 (so I run my key stretching function for 5 seconds).  I now am seeding with 40 bits of entropy, and running for five seconds maybe I'm putting another 25 bits of security into the system, but I am losing more by not incorporating the other 5 seconds' worth of entropy in.  

There are a couple responses. First an engineering trade off, e.g. nine seconds of entropy gathering and one second of key stretching would get most of the benefits of both (72 bits from entropy gathering, 22 bits from key stretching).

Second, it's hard for me to see a use case where an added 10 or 20 seconds of processing when a box is powered up for the very first time is unacceptable.  

Third, at some point we have to be willing to just say no, the constraints you put on your system in terms of available entropy sources and limits on start up time are incompatible with security requirements. 

> We could incorprate late-arriving entropy into the RNG at the end of the key stretching algorithm, but that kills its value for blocking the attack you were describing above.  
Again there are engineering trade offs here. You could start key stretching immediately on your fast source, e.g. RDrand as you suggested in you second post, and finally mix in the slower source(s) at second 9. 

Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140221/2c7171fd/attachment.html>

More information about the cryptography mailing list