[Cryptography] The world's most secure TRNG
David Johnston
dj at deadhat.com
Wed Oct 8 21:17:57 EDT 2014
On 10/8/2014 4:00 PM, Dave Horsfall wrote:
> It's possible that I may have missed this (the list seems to have spiked
> lately), but how would the device present itself to the host? A serial
> stream of random bits (like a terminal or a keyboard), or some sort of a
> structure with command and control etc?
The USB serial profile isn't a bad one. The drivers will be present in
any OS and you can communicate the necessary protocol on top of the
serial device. It certainly beats writing a device driver for every OS.
Since the device would be external to the computer (i.e. on the other
end of a usb connection) it would be good if the owner of the device
could provision the device with a secret key or a keypair which then
sends the random data in signed lumps with some monotonic counter. So if
something evil got in between the device and the consumer (application
or OS kernel or VM or whatever) the consumer could check the data is
what came from the device and isn't a replay or spoofed data. It's not
perfect, but it addresses a number of attack scenarios.
I think the primary problem with writing software that uses random data
is establishing that you have it. Most environments are
indistinguishable in that sense. A low entropy platform with lots of
interrupts (E.G. a synchronously clocked embedded controller with no IO
until after it booted) will still provide data from /dev/random. It's
easy to build a platform that has an entropy supply. It's hard to know
how to tell that you're on such a platform if you're writing software to
run on many platforms.
An external USB source is a good solution if you have an application
that can securely identify data sourced from the device, regardless of
what the platform in between is. Stick the device in the usb port, run
the software and you've bypassed the risks of a low entropy platform
that isn't otherwise acting against your best interests. If it's just a
noise source, it'll still work, but I wouldn't call it the most
defensive design you could create.
FWIW, I've analyzed the raw entropy from hardware entropy sources on
several products from several manufacturers and an alarming proportion
of them either don't meet their min-entropy criteria or never defined
them in the first place. Get your ducks in a row on the min-entropy you
guarantee, the design margin, the online testing to ensure it's working
and the extraction process and you will be in the upper quartile of RNG
design quality.
-DJ
More information about the cryptography
mailing list