[Cryptography] cryptography Digest, Vol 9, Issue 29

Arnold Reinhold agr at me.com
Wed Jan 29 15:36:16 EST 2014


Yesterday's thread on this topic demonstrates what I have been trying to say. Everyone thinks they know how to generate random bits for cryptography. Everyone thinks the other guy is doing it wrong and everyone is looking at the problem through a different lens and therefore missing something important. (And i don't exclude my self.) 

On Wed, 29 Jan 2014 James A. Donald wrote:
> We do, however, know how to do RNG right. We just don't do it right.
> 
> Use many, many different entropy sources, even ones that are known to 
> suck.  The attacker cannot predict or control all of them.

I agree, find me a standard that says that.

> …If your device likely has a solid state drive, so no hard drive 
> turbulence, then it likely has lots of hardware sources of thermal noise 
> and quantum noise, as for example the android phone.


Mobile phones are easy. The hard case is the large number of "internet of things" devices being sold or about to be introduced. (Google did not pay $3.2 billion for Nest just to conquer the digital thermostat business.) Most of these devices lack a hard drive and many have no other obvious source of randomness, especial when they first start up. Some will be used in places where they can do real damage.

Paul Hoffman wrote:

> ...On all recent FreeBSDs:
> 
> # dir /dev | grep random
> crw-rw-rw-   1 root  wheel     0x14 Oct  7 07:01 random
> lrwxr-xr-x   1 root  wheel        6 Oct  7 14:00 urandom -> random

As I understand it, FreeBSD currently uses Yarrow for both random an urandom. See https://wiki.freebsd.org/201308DevSummit/Security/DevRandom for a discussion of possible startup problems.

Thierry Moreau wrote:

> There are no economic incentives for a low-cost manufacturer to commit 
> to provide a "trusted" source of entropy. Intel did something and now 
> their design is suspected of back-door by (a portion of) the very 
> community that requested something to be done.

Intel hid their entropy source behind a AES-based whitener, a design that is ideal for back-dooring. There is no technical or economic reason for doing that and it should be considered as suspicious as Dual_EC_RBG was.  If they had a more transparent design, I suspect they would have earned broad community support. 

As for economic incentives, the only one I can think of is to earn a certification stamp. FIPS-140 is both overkill and underkill for such devices.  We need something better.

> 
> Somehow this discussion tends to run into circles.

An astute observation. I submit this happens because there is no standard or guideline nor a process to get one that has any acceptance.  I suggested a Wiki as a start. Any other ideas?

Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140129/ab836c80/attachment.html>


More information about the cryptography mailing list