[Cryptography] Hard Truths about the Hard Business of finding Hard Random Numbers

Thu Jan 30 21:26:29 EST 2014

On 01/30/2014 06:29 PM, John Kelsey wrote:

> There is a tradeoff between purpose-built crypto hardware, and
> off-the-shelf computers and devices pressed into service to do
> crypto.  The purpose-built crypto hardware and software is a bigger
> target for very high end attackers, but it is also almost certain to
> be designed to be harder to tamper with in the field, and it's
> probably designed with security in mind to a far greater extent than
> general-purpose hardware and software.  Worse, if some commonplace
> software or hardware component becomes the thing everyone bases their
> entropy collection on, that will become a tempting point for a
> targeted attack, but the sound card manufacturer or whatever won't
> think they're primarily building a security product.
> 
> A dedicated crypto device can be designed to try to resist a lot of
> attacks that will pretty trivially compromise most off the shelf
> hardware and software devices, like side-channel attacks.  It
> normally will be resistant to compromise by someone who takes over
> the computer it's installed in or connected to.  It can have an
> entropy source that's purpose-designed and analyzed as an entropy
> source, reasonably resistant to intentional or accidental outside
> interference, etc.  For whatever it's worth, it can also be tested by
> some organization that validates hardware crypto devices.  Those
> validations all have problems, but they're probably better than no
> validation, which is the practical alternative.

Oh, you mean the way the current generation of electronic
voting machines were "validated" by "independent" testing
labs as required by law?  It's a travesty.
   https://www.google.com/search?q=%22voting+machine%22+vulnerabilities

What's to keep the TLA that subverted the design of the crypto
chip from subverting the validation procedure?

The only procedure I've heard of that makes any sense is based
on cut-and-choose.
 -- Somebody makes a million sound cards, intended for the genuine
  audio market.
 -- I buy a bunch of them.  I select a subset at random and tear
  them down.  Anything that does not conform to the sound-card
  blueprint is disqualifying.
 -- If I don't like what I see, I can return the whole batch to
  the sound-card market ... which is something I could not do 
  with purpose-built crypto products.
 -- No, I'm not panicked about side-channel attacks.  The sound
  card is already well shielded, for ordinary audiophile reasons.
  There is no reason to think that the sound subsystem is more 
  vulnerable than the networking subsystem or the memory subsystem
  or anything else.  Furthermore I can deliberately transmit a
  jamming signal that swamps whatever is leaking out of the sound
  card, with orders of magnitude to spare.
 -- Similarly I'm not panicked about incoming interference.  The
  soundcard is already well shielded, and furthermore any such
  interference would be detectable long before it caused real
  degradation, with orders of magnitude to spare.  So the best
  an attacker could hope for would be a preposterously expensive
  denial-of-service attack that called attention to the attacker.

To be clear:  At the moment I have not seen any off-the-shelf
soundcards with a validation I trust, but on the other hand
I haven't seen anything else I trust, be it purpose-built or 
otherwise.  So you can argue the comparison either way.  It's 
an indeterminate form, travesty divided by zero.

The same applies to software:  Open-source software "could" be
reviewed by anyone, which is a lovely theory, but in practice
a lot of the stuff we rely on has never been subjected to 
anything remotely resembling a rigorous code review. A thousand
cursory checks are nowhere near as useful as one thorough,
professional review.

Face it, the community has not learned to take security seriously.
There is a treeeeemendous seriousness gap, because the attackers
do take their job seriously.  If we spent anywhere near as much
securing Android as They-Who-Shall-Not-Be-Named have spent 
subverting it, the world would be a far different place.