[147809] in cryptography@c2.net mail archive
Re: [Cryptography] [RNG] on RNGs, VM state, rollback, etc.
daemon@ATHENA.MIT.EDU (Peter Todd)
Tue Oct 22 11:27:16 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 22 Oct 2013 03:21:25 -0400
From: Peter Todd <pete@petertodd.org>
To: Watson Ladd <watsonbladd@gmail.com>
In-Reply-To: <CACsn0c=c_w-eqnGS6NgagC0D8VaR1BACroWG4cZMDtK9UMCnHA@mail.gmail.com>
Cc: John Kelsey <crypto.jmk@gmail.com>, Russ Nelson <nelson@crynwr.com>,
Cryptography <cryptography@metzdowd.com>,
"rng@lists.bitrot.info" <rng@lists.bitrot.info>, John Denker <jsd@av8n.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============4211197281079720772==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6"
Content-Disposition: inline
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Oct 21, 2013 at 09:17:00PM -0700, Watson Ladd wrote:
> > Suppose the RNG hashes in a MAC address. Immediately, the attacker has=
a worse life--now with the same amount of entropy, he must do a new 2^{40}=
search each time he encounters a new device with a public key. It's like =
a salted password hash.
> And with a wire that costs 25 cents connecting the wallwart to the
> interrupt pin we've got 60 Hz (50 in Europe) uncorrelated to our local
> clock. Measure the drift, and in 5 seconds we are done collecting 250
> bits of entropy (one bit per interrupt).
That wire costs 25 cents; installing it costs orders of magnitude more
than that.
We have to work within fully commodity hardware like it or not.
> 2^40 is not a lot for your colleges in Fort Mead. Imagine this is host
> key generation on hosts on large, important, networks. Piddling with
> the MAC key won't keep out anyone who seriously wants to get in.
Fortunately usually they only kinda want to get in, because they've got
ten thousand other people they're trying to hack to expand their
budgets, er, I mean catch terrorists. Also fortunately even the NSA has
a limited budget, and that doable 2^40 suddenly becomes a rather
expensive 2^80 if your target happens to have two network interfaces.
Attacks against software RNG's tend to be incredibly brittle. Just make
sure you don't accidentally make the MAC key be the only entropy the
system ever has - remember that you can't test a crypto-quality software
RNG for randomness after the fact.
--=20
'peter'[:-1]@petertodd.org
0000000000000007c786b8211bbccd325f1cdb5db7fb87b10b9cddf0e8edb69a
--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQGrBAEBCACVBQJSZid0XhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw
MDAwMDAwMDAwMDAwMDNjZTJkM2IwMGNkZThhNWVjMmM0NDE1YWY4NzRlMjkxZDIy
ZWM5MDIwNThlMzM5ZjIvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0
ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfuZ6wgAupBcvxeCvb1aeZrrqVhR8hFv
ZF+WJRTChyI9l0ikULJZTjHwIGZL31C90pELqfMSCc/31EDPBo0HtfXQnvU78VcR
+QjLJH4ea4nW9ohSqPlCeLBj85AWK19RoWc0Mr0mHfEc3pUNBHO68VLZ2D945328
eQvHF05SkHUbh7OuCmDtYlLdRwDllNhTZhYm+XZrb0ZBDoohaVzn8dYnYdrHMDK0
vxs2JsPpu+fOU4tn93BCVMEp59ELh0uXjxCB4JTT7flhlkXI0d+sScNKNgLnaA7G
dSuIgANR/BeObtHBqBWe2+udUvcl3sbeVp/RHFOPBP9v/Mm08IOD/ItI/Y2CDg==
=H5bl
-----END PGP SIGNATURE-----
--IJpNTDwzlM2Ie8A6--
--===============4211197281079720772==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============4211197281079720772==--
