[Cryptography] cheap sources of entropy

Theodore Ts'o tytso at mit.edu
Tue Jan 21 10:10:16 EST 2014 

On Mon, Jan 20, 2014 at 04:46:23PM -0000, dj at deadhat.com wrote:
> 
> Paranoid Entropy Trap:
>   The tendency to get no entropy because you turned off all the sources of
> entropy, because you don't trust any of them.

My answer to this is to mix from as many sources as possible, in the
hopes that one or more of them can not be predicted by the attacker.
Yes, this may be less efficient, but that's engineering tradeoffs for
you --- and how many applications really *do* need 3 gigabits per
second of cryptographic grade random numbers?  :-)

The other thing I'd note is that I fear people are focusing more
attention on the random number generator and less on other parts of
the entire solution.  Maybe it's because of Parkinson's Law of Triviality[1]

[1] http://zsoltfabok.com/blog/2013/01/parkinsons-law/

I'm not sure whether the RNG is better characterized as the "bite
shed" or the "coffee for refreshments" as described in Parkinson's 3rd
chapter, "High Finance, or the Point of Vanishing Interest", but I
know one thing for sure.  It's not the 10 million pound nuclear
reactor.

Remember, the system is always going to be secure as its weakest link,
and having the most wonderful RNG in the world isn't going to help you
if the NSA has diverted your hardware and installed a miniature radio
transmitter into the guts of your system.  Or if you aren't using the
latest security updates, and worse yet, using PHP, and there's flaw in
your web framework that hasn't been patched or you don't know about.

(Some people have talked about using Own Cloud as being more secure
than cloud services from companies like Amazon or FaceBook.  Now, the
founder of OwnCloud the startup is a friend of mine, and I wish him
all of the best success in the world.  But the fact it uses PHP for
its web front end makes me shudder with fear.)

And of course, it might not be PHP; it might be security weakness with
your web server, or with your security assumptions that everything
befind your firewall is secure --- but then it turns out that your
access point is running a 2.4 based kernel to support an ancient
legacy binary-only blob, and it's been cracked to a fair-thee-well,
and then the attacker has used that to establish a beachhead from your
"smart refridgerator", and is then attacking your internal
infrastructure from there.

So don't get me wrong; having a good RNG is important.  But I do find
it interesting the volume of attention it is getting on this mailing
list compared to all of the other things that we have to get right in
order for the entire solution to be secure.  It may be my own personal
area of interest, but let's be realistic here.  If it's a hundred
times easier to break into a firmware update system and hide something
in your printer, or your BIOS, or your router, then maybe that's the
path which various criminal groups or other foreign intelligence
services (especially including those who are most likely much less
well resourced than the nSA) will use to screw you over.

						- Ted

More information about the cryptography mailing list