[Cryptography] Is Ron right on randomness
dj at deadhat.com
Sat Nov 26 19:32:47 EST 2016
On 11/26/16 6:38 AM, Salz, Rich wrote:
>> Absolutely right. Only TRNGs that make raw data available should be trusted. Further, the source should have a simple physical model which is proven out by measurements, preferably continuously.
> Meanwhile, back in the real world... What should OpenSSL do, given the wide number of platforms and huge uninformed community that depends on it, do?
1: Add the ability to identify the sources available.
RdRand and RdSeed in Intel and AMD are easy. Use CPUID.
The old i810 RNG might be available or emulated in a VM (but then
you need to know what the VM is doing).
I understand that there are other on chip sources available on
other architectures but I am not an expert in using those.
2: Properly characterize the source:
Min Entropy Sources
Hill Entropy/Seeded Pseudo random sources
Gaussian sources (like RF receive chains or the demod error vector
popular on phone chips)
FIPS compliant sources
DRBGs or ENRBGs
3: Apply proper extractor theory to correctly identify the right
extractor algorithms to apply to these sources
4: Combine them with some additional extractor theory.
5: Use that to seed your own CSPRNG as frequently as required - this is
a slightly hard problem which I wrote about yesterday.
6: Provide a simple and comprehensible configuration interface and
reporting options so code through an API and users through the command
line can interrogte what's going on regarding available entropy and set
policy as required (E.G. require only FIPS compliant or SP800-90
compliant or tin foil hat compliant sources).
More information about the cryptography