[Cryptography] Auditing rngs
ianG
iang at iang.org
Wed Jan 22 02:06:07 EST 2014
On 21/01/14 20:55 PM, John Kelsey wrote:
> It seems like it should be relatively straightforward to do a cut and choose style audit on a random bit generator. However, the functionality you would need for this would also be a hell of an attack point, so it's a mixed bag.
>
> Imagine you have an HSM that has its own entropy source. We want to have it do something that requires randomness, say generate an RSA key. So we do the following:
How about this variant. Let's have the HSM have its own entropy source.
But let's expand the scope to multiple HSMs (which are required anyway).
HSM1 is put into key generation mode. HSM2 is put into RNG/audit mode.
HSM2 collects the entropy, processes it into an RN stream, escrows it,
and passes it to HSM1
HSM1 reads in the RN stream, and creates the key.
HSM1 then passes the key back to HSM2 which then verifies the key and
verifies that it was deterministically.
If the HSMs follow the same protocol, then they can be used to verify
each other.
iang
More information about the cryptography
mailing list