[Cryptography] Is Ron right on randomness

David Johnston dj at deadhat.com
Sat Nov 26 19:32:47 EST 2016

On 11/26/16 6:38 AM, Salz, Rich wrote:
>> Absolutely right.  Only TRNGs that make raw data available should be trusted.  Further, the source should have a simple physical model which is proven out by measurements, preferably continuously.
> Meanwhile, back in the real world...  What should OpenSSL do, given the wide number of platforms and huge uninformed community that depends on it, do?
> _______________________________________________

1: Add the ability to identify the sources available.
     RdRand and RdSeed in Intel and AMD are easy. Use CPUID.
     The old i810 RNG might be available or emulated in a VM (but then 
you need to know what the VM is doing).
     I understand that there are other on chip sources available on 
other architectures but I am not an expert in using those.
2: Properly characterize the source:
     Min Entropy Sources
     Hill Entropy/Seeded Pseudo random sources
     Squish Sources
     Gaussian sources (like RF receive chains or the demod error vector 
popular on phone chips)
     FIPS compliant sources
     DRBGs or ENRBGs
3: Apply proper extractor theory to correctly identify the right 
extractor algorithms to apply to these sources
4: Combine them with some additional extractor theory.
5: Use that to seed your own CSPRNG as frequently as required - this is 
a slightly hard problem which I wrote about yesterday.
6: Provide a simple and comprehensible configuration interface and 
reporting options so code through an API and users through the command 
line can interrogte what's going on regarding available entropy and set 
policy as required (E.G. require only FIPS compliant or SP800-90 
compliant or tin foil hat compliant sources).


More information about the cryptography mailing list