[Cryptography] Hard Truths about the Hard Business of finding Hard Random Numbers

John Denker jsd at av8n.com
Wed Jan 29 19:38:46 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/29/2014 03:14 PM, ianG wrote:

> As many have noticed, there is now a permathread

One reason there is a permathread is that people keep saying
wrong things.

>             i. Entropy can be objectively analysed as long as we do not
> have an attacker. An attacker can deliver a faulty device, can change
> the device, and can change the way the software deals with the device at
> the device driver level. And much more...

That's a red herring.  The attacker can also bugger the BIOS,
bugger the keyboard scanner, et cetera.  Supply-chain trust
is a problem.  This problem does not affect entropy-sources
any more than it affects a hundred other things.  If you're
going to give up on entropy because of supply-chain trust
issues, you ought to give up on everything.

Also:  One point that the web page doesn't mention:  It helps
to use general-purpose components.  Using special-purpose 
crypto chips (including RNG chips) is like putting a "kick 
me" sign on your own back.  In contrast, a sound card can be 
put to lots of different uses, and it is relatively hard for 
the bad guys to mess with it in a way that subverts the crypto 
without making the device unusable for other purposes.

This doesn't solve all the world's problems (angry birds) 
but it helps.

>  No Test.

That's imprecise and overstated.  Not all measurements are
created equal.
  a) We agree that statistical tests on the output are mostly
   window-dressing.  As Dykstra said, testing can show the 
   presence of bugs, but it can never show the absence of bugs.

  b) On the other hand, there are some things that do need to
   be measured, such as the impedance, gain, and bandwidth
   of the source.  These physical measurements are not even 
   remotely in the same category as statistical tests on the
   outputs.

Statistical tests on the output are mostly pointless but harmless.
The real point should be twofold:
 a) Do not rely on statistical tests on the output.

 b) Do the calibration.  Do the /right kind/ of measurements.
  An ounce of calibration is worth more than a ton of 
  wishful thinking.

>             ii. This approach is complete if we have control of our
> environment. Of course, it is very easy to say Buy the XYZ RNG and plug
> it in. But many environments do not have that capability, often enough
> we don't know our environment, and the environment can break or be
> changed. Examples: rack servers lacking sound cards; phones; VMs;
> routers/firewalls; early startup on embedded hardware.

Yeah, different machines will have different peripherals.
So what?  We have for decades been dealing with different
graphics hardware, different disk hardware, different
networking hardware, even different math coprocessors.
We deal with this by loading different drivers and different 
libraries.

When faced with the equivalent problem in RNG space, it
would be ridiculous to just give up.

> . In conclusion, entropy is too high a target to reach.

Nonsense.  It is definitely reachable.  Yeah, it's hard, but
lots of things in cryptography are hard.  We don't just give
up when we see something that requires a bit of work.


> Cryptographically secure random numbers (or CSRNs) are numbers
> that are not predictable /to an attacker/.

I assume that refers to something involving a PRNG.  The problem
with all such things is that they require a seed ... whereupon
we need a HRNG anyway.

Let's be clear:  You can have a HRNG without a PRNG but not
vice versa.

On 01/29/2014 03:03 AM, Thierry Moreau wrote:

> Indeed there are no low entropy environments.

At present there are plenty of environments that are critically 
lacking in trusted sources of entropy.  They will remain so
unless and until somebody takes pains to remedy the situation.

A server farm with lots of VMs is an obvious and important example.
One critical requirement is proper /provisioning/ of each new
machine with its own initial endowment of entropy.  Later, during
routine operations, there are ongoing problems.  If the main
array of servers lacks well-calibrated well-trusted sources of
entropy, one way to alleviate the problem is to buy a couple 
of special machines, special enough to have sound cards.  These
distribute random outputs around the room via secure links.  The 
VM guest machines can read from a virtio-rng device, or from a 
socket.

==============

To summarize:  Giving up on the HRNG is neither necessary nor
possible.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIVAwUBUumfFvO9SFghczXtAQJqRQ/+OBj9tPxo7NoBQGhBE9I7d5yvCA3rhxVi
MzzviduS7r5St6NY2B5D2ua/XtRYe6jZCDod0FiXx/AxT7QfbjTOMe38fw/pe2S4
yllZWxTuVKuKg0IPCK1KpbVp5Ez8UoRmMSGrRdKg0vN6s9Kt8QBdF8ZXYYcsRYbV
n/4p/WdDgIrr/iqujQCmO1msgD9VKukzXfh8pDnp/SXwuIp1g+Eisnid9U2li2EH
MQDfotTJGlrhn91DePX3kpfyGUYiLRUoVg3w+9a+rwuWdARo2ube4xx1F+J+TcOR
fOV8JMfwoGG9dKqduUzdj4YHOtHkatI5OnqR9O9j7c5eIAmdSg3xfwd2ydvZd8ap
A6uH7NcKDL7LkgIqv6relPUc+Y7WnetIhrFVW/KiECzXSG2SuGnToD16sdoPV5Zu
X5VQri+6c6XaEc9nqNz0eMPBOJ6T7I1fcVw8km4vPLSRcuudf1+7WJ5G2XYE1Ap/
d7mrfGKdGxoLWzLpbnZaX7L3RKcRjcRb2vmjfxVXNR4chxO3PP86Tfk8duyWI0w0
xbxegvAqr8OLyFJ7ujNn+mIjFuLUdmTaY6LBfqnwHNbPcy6aHb1EXi++g2dFoGkK
aHKBRJjjosL/X0boTn2P8ilDFbV2oLfLYx7Lu6qV4+Op7/8hSLeA6d4jNjBAqtM8
WhH5/xxmtLw=
=5Lls
-----END PGP SIGNATURE-----


More information about the cryptography mailing list