[Cryptography] OTP USB TLA

Ron Garret ron at flownet.com
Mon Sep 22 18:57:10 EDT 2025 


> On Sep 9, 2025, at 1:11 AM, John Gilmore <gnu at toad.com> wrote:
> 
> I had an idea a few years ago that with the ubiquity of high bandwidth
> USB interfaces and large flash chips, someone could build a small USB
> device that would cache paired True random numbers when physically
> plugged into a second such device.  The two plugged-together devices
> (when also plugged into power) would fill their memories with identical
> true random numbers.  When you unplugged them and took them to two
> different places, you'd have gigabytes or a few terabytes of paired
> high quality random numbers, in a tiny, innocuous form factor.
> 
> The USB interface from the device to the randomness user (host computer)
> would never hand out a particular set of random bits more than once, and
> would securely erase them from its memory as soon as they were handed
> over the interface.  So seizing an already-used device would not expose
> past traffic.
> 
> So far this isn't rocket science, but it has a few problems:
> 
>  * How do you best avoid an attacker depleting all your randomness by
>  having malware just suck bits out until there aren't any more?  Such
>  an attack at either end of a comms link would disable the encryption,
>  a denial-of-service attack.
> 
>  * How does the host computer authenticate that it's really talking to
>  your RNG device?  Someone like Q could build a lookalike USB thing
>  that an Evil Maid could swap for yours.  It would suck all the secret
>  bits out of your true USB device when the Maid plugged yours into it;
>  would also make a copy of that bit stream somewhere else (like on an
>  ordinary USB stick) for the Evil Maid's employer; and would store the
>  extracted bit stream inside itself so the Evil device could pretend to
>  be your device the next time you plugged it in.  Its delivered bits
>  would match the bits at the other end of your comms link, but they
>  would have been secretly copied for the attacker's use.

A corollary to your second problem: how can you be sure that your device works as advertised in the first place?  If you're worried about evil maid attacks then you probably ought to be worried about supply chain attacks as well.  In other words, whoever provided the evil maid with the device she swapped out for your original could just as easily have supplied you with your original hardware unless you have a proper audit trail to insure its provenance.  Good luck with that.

rg

More information about the cryptography mailing list