[148525] in cryptography@c2.net mail archive
Re: [Cryptography] Fwd: [IP] 'We cannot trust' Intel and
daemon@ATHENA.MIT.EDU (Stephan Mueller)
Thu Dec 19 13:29:55 2013
X-Original-To: cryptography@metzdowd.com
From: Stephan Mueller <smueller@chronox.de>
To: cryptography@metzdowd.com
Date: Thu, 19 Dec 2013 18:04:43 +0100
In-Reply-To: <8D3821B5-50F4-4E71-99D6-C8CDAE6C4816@me.com>
Cc: John Kelsey <crypto.jmk@gmail.com>, nico@cryptonector.com,
Charles Jackson <clj@jacksons.net>, Arnold Reinhold <agr@me.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Am Donnerstag, 19. Dezember 2013, 07:56:36 schrieb Arnold Reinhold:
Hi Arnold,
>How do we safely initialize Yarrow or a another software RNG if the
>CPU's hardware RNG is compromised and there is no other source of
>entropy? This is a situation that is increasingly common in all
>solid-state black box devices, and is especially tricky at first
>startup, when keys used to manage such units are often generated.
There are various implementations of RNGs that use CPU execution timing
variations as noise source. That phenomenon is available right from the
start of the CPU. In fact, the patch in my Jitter RNG [4] for the Linux
/dev/random would fill the input_pool with entropy during initialization
at system boot time, early in the boot cycle. This could be done for a
Yarrow as well. I guess the other RNGs could be used in a similar
fashion.
So, there are noise sources which do not depend on some black box.
[1] http://www.issihosts.com/haveged/
[2] http://dankaminsky.com/2012/08/15/dakarand/
[3] http://jytter.blogspot.se/
[4] http://www.chronox.de/
Ciao
Stephan
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
