[Cryptography] High volume thermal entropy from an iPhone

Jerry Leichter leichter at lrw.com
Fri Dec 15 15:54:53 EST 2017 

> The only weak guarantee i see here is that comparing random
> motherboard vendor, dedicated HSM vendor and Apple - the party i would
> trust the most would be Apple for economic reasons. What is double
> digit millions in reputation/brand damage to small vendors, is tens of
> billions of damage to Apple - they have most motivations to keep all
> parts of firm/soft ware stack secure. But of course thats just social
> guarantee we are trying to avoid in first place.
There's another thing to consider:  Even assuming NSA-level resources, it would be impossible to rig every potential source of randomness out there.  And suppose you actually put this out there, and thousands of random hackers adopted it.  Would that be important enough for NSA to go to the trouble of forcing Apple to rig everyone's phones just to get to those?  And - unless they could accomplish that with just a software update - it wouldn't work against any pre-existing phones *anyway*.

Now, if it were known that someone like the North Korean military liked your design and started to use it ... everything would change.

Things like that have to go into a reasonable risk analysis.

We often remark here that you should rely on proven code from experts, not do your own crypto code.  That's true with respect to some kinds of attack scenarios, not so simple with respect to others.  If you're a small target, making sure that attacks against you are significantly distinct from attacks against the big targets is probably not a bad idea.

For example:  Suppose you are suspicious that the NSA has an attack on AES - and you're a little guy who doesn't need to have high-speed hardware, just software; and you don't need to interoperate with anyone.  Take your AES software implementation, run the half the rounds, insert any keyed, reversible operation on the state (*using a key completely independent from the AES key*), then run the other half of the rounds.  In practical terms, no one will ever break that, even if they have some fancy attack on AES itself - unless you use it for something worth many billions of dollars.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171215/176dd864/attachment.html>

More information about the cryptography mailing list