[Cryptography] Proper Entropy Source
Kent Borg
kentborg at borg.org
Thu Mar 5 11:23:39 EST 2020
On 1/24/20 11:35 AM, Peter Todd wrote:
> On January 23, 2020 8:26:43 PM EST, Ryan Carboni <ryacko at gmail.com> wrote:
>> On Thu Jan 23 11:25:55 EST 2020, Theodore Y. Ts'o wrote:
>>
>> public/private keypair the first time it is plugged into AC mains,
>>
>> each outlet in your house has a different voltage
> While it's true that the voltages will be different, every outlet will have the same phase (modulo the trivial 180° out of phase you see due to split power). So this is irrelevant to anything about random number generation.
[I should have sent this sooner. Might be too stale, if moderators kill
it I'll not object.]
When looking for entropy, sample every input one can from the real
world. And if one if looking for entropy that is unknown to a distant
foe, sample local things. In addition, do it at a moment that is unknown
to that distant foe. Maybe when a human physically plugs it in--another
case of sampling something local, a human.
For a project I worked on that wanted entropy I sampled every voltage
and temperature I could find, every serial number I could find, I
sampled fan RPMs, I hashed startup contents of DRAM (this was a vintage
when these parts did not initialize to zeros). I also initialized the
stored pool from a mouse-equipped computer at "manufacturing" time. I
regularly saved the pool in a cron job (to minimize a reboot after a
crash replaying from a previous state). This was also a time when the
Linux urandom maintainer was busily turning off all interrupt timing as
entropy sources, on some damn purity grounds (stupid!), so I compiled a
custom kernel turning them back on.
In the case of AC power, sure, at a gross level it will be the same
phase--across a very large region. But the powerlines are an antenna and
each outlet is getting different local reception, so there is going to
be local information there that is not available elsewhere. That looks
tasty if I'm looking for entropy. (Always hash accordingly.)
Doing detailed sampling of the AC is expensive, but measuring phase
could be pretty cheap...and, exactly when an embedded device is plugged
in (and the phase when it first gets around to measuring it) isn't
something that is easy for a remote foe to learn. Hell, it isn't easy
for a really sophisticated near foe to learn. Phase, based on, say,
millisecond-quality measurement, seems valuable; there are obvious ways
to attack it, but oh my God, they are expensive. If one is designing a
cheap device manufactured in volume scale will not be on the side of the
attacker.
We should quit being so pure about "entropy" and be pleased for any
/local/ information that /remote/ attackers can't easily know. The real
world matters for RNGs, implementation matters (stupid things like, are
your entropy sources not wired up in the first place?, or are you giving
away your pool somehow?), and physical dimensions matter: If your
attacker can't get closer than some minimum range, and there is going to
be local information that is hard for the attacker to know (speed of
light, lossy "signal lines", and inelastic mechanics are your friends).
Will there be phase jitter in an on-chip, multi-GHz,
pseudo-spread-spectrum, analog PLL? Yes! Looks as good as "entropy" to
me: at least if ones foes are forced to be more than a few mm away, and
if they aren't that far away? You have far bigger problems.
RNGs are an engineering problem. That means theory applied to practical
reality.
-kb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200305/bcc73ee6/attachment.htm>
More information about the cryptography
mailing list