[Cryptography] cheap sources of entropy
Bill Frantz
frantz at pwpconsult.com
Tue Jan 21 17:27:49 EST 2014
On 1/21/14 at 12:18 PM, jsd at av8n.com (John Denker) wrote:
>My point is that it makes more sense to have one or two
>properly-calibrated well-defended entropy sources than
>some vast number of "sources" that might produce entropy
>or might not.
I am going to assume that John means hardware sources here.
Now I contend that as a sound engineering principle, any
hardware device that is being relied on for important functions
-- life support, security, etc. -- must be regularly tested for functionality.
On 1/20/14 at 1:38 PM, jsd at av8n.com (John Denker) wrote:
>It tells you that if you are using an accelerometer to capture
>the human interaction, the physics of the sensor is a better
>source of entropy than the human is.
...
>Given a high-precision microphone preamp, it provides better
>randomness if the input is open-circuited, rather than attached
>to an actual microphone, no matter how "complex" the acoustic
>environment is ... and it continues to work even in non-complex environments.
It seems to me if we are fortunate enough to have a large number
of sources, like on a smart phone, we should use them all. (My
phone has at least: 2 radio receivers (GPS + cell),
accelerometer, compass, microphone, 2 cameras). We don't have to
add extra hardware. We just have to characterize the hardware we
already have.
There are a at least two reasons why this is the best approach:
* The user regularly tests the hardware and gets it repaired
when it fails,
* The bean counters don't have to pay for extra hardware.
Most of the characterizable entropy comes from things like
thermal noise in the amplifiers and band noise in the radios.
(However, the bands used by cell phone receivers are
characterized by relatively low noise.) The rest is what John
calls "squishy", however we'll mix it in anyway.
If we add hardware to open the input to e.g. the microphone and
cameras, then we run the risk of having it fail in a way that
destroys the entropy, so we want to characterize things with
everything in place. No extra hardware keeps the bean counters
happier too.
Having dedicated hardware for randomness is strictly worse
because we don't have any good tests that show it is still working.
Almost any approach is critically dependent on the mixing
function. I have always assumed that secure hash functions work
well in this application, but I don't know of any proof.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz |The nice thing about standards| Periwinkle
(408)356-8506 |is there are so many to choose| 16345
Englewood Ave
www.pwpconsult.com |from. - Andrew Tanenbaum | Los Gatos,
CA 95032
More information about the cryptography
mailing list