[Cryptography] A TRNG review per day (week?): ATSH204A
waywardgeek at gmail.com
Sun Nov 9 08:16:40 EST 2014
| certain circumstances, the system may choose to suppress the EEPROM
| seed update using the mode parameter to the Nonce and Random commands.
| Because this may affect the security of the system, it should be used
| with caution.On Sun, Nov 9, 2014 at 7:26 AM, Bill Cox <
waywardgeek at gmail.com> wrote:
> There are many comments about Atmel's part like this:
I didn't explain why I find post like this so scary. A bunch of our
Linksys/Cisco routers apparently use the ATSHA204A for seeding /dev/random
at boot, to cover a security hole caused by lack of entropy in the device.
This thread is about a guy adding this "random" seed to OpenWRT! There are
"Certain randomness extractors need a random seed."
Huh? Which randomness extractors require a random seed? This is a scary
level of ignorance for guys implementing such critical security code. If
the MiB have a copy of every ATSHA204A's seed, they might be able to PWN a
huge number of routers.
Here's a great quote on this thread from the data sheet:
"Random numbers are generated from a combination of the output of a
hardware random number generator and an internal seed value, which| is not
externally accessible. The internal seed is stored in the EEPROM, and is
normally updated once after every power-up or sleep|wake cycle."
If the TRNG is capable of producing even 200 bits of entropy, then why do
they need the seed at all? Why bother to "update" it? Here's what I
think: they only implemented a short counter to save a few gates. When it
overflows, the device will start spitting out repeated "random" values.
There is a simple way to test this. They have the ability to turn off the
seed update. If the device generates correlated keys after multiple cold
boots with update turned off, then the TRNG is weak. If it always
generates identical keys, then the TRNG doesn't exist at all.
Apparently Atmel expects to fail this test:
"In certain circumstances, the system may choose to suppress the EEPROM
seed update using the mode parameter to the Nonce and Random commands.
Because this may affect the security of the system, it should be used with
Does anyone have one of these devices that they can test in this mode? I
would love to have access to a few thousand "random" outputs after cold
boot of the device without the seed update.
I find it very difficult to believe this device has a "high quality TRNG"
as Atmel claims. If it did, there would be no impact on the security of
the system when the "seed update" is disabled. There would be no need for
the seed at all.
This device fails the smell test worse than any TRNG I've read about.
And... it's in our routers...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography