[149184] in cryptography@c2.net mail archive
Re: [Cryptography] cheap sources of entropy
daemon@ATHENA.MIT.EDU (Bill Frantz)
Tue Jan 21 17:42:41 2014
X-Original-To: cryptography@metzdowd.com
Date: Tue, 21 Jan 2014 14:27:49 -0800
From: Bill Frantz <frantz@pwpconsult.com>
To: cryptography@metzdowd.com
In-Reply-To: <52DED622.1060607@av8n.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 1/21/14 at 12:18 PM, jsd@av8n.com (John Denker) wrote:
>My point is that it makes more sense to have one or two
>properly-calibrated well-defended entropy sources than
>some vast number of "sources" that might produce entropy
>or might not.
I am going to assume that John means hardware sources here.
Now I contend that as a sound engineering principle, any
hardware device that is being relied on for important functions
-- life support, security, etc. -- must be regularly tested for functionality.
On 1/20/14 at 1:38 PM, jsd@av8n.com (John Denker) wrote:
>It tells you that if you are using an accelerometer to capture
>the human interaction, the physics of the sensor is a better
>source of entropy than the human is.
...
>Given a high-precision microphone preamp, it provides better
>randomness if the input is open-circuited, rather than attached
>to an actual microphone, no matter how "complex" the acoustic
>environment is ... and it continues to work even in non-complex environments.
It seems to me if we are fortunate enough to have a large number
of sources, like on a smart phone, we should use them all. (My
phone has at least: 2 radio receivers (GPS + cell),
accelerometer, compass, microphone, 2 cameras). We don't have to
add extra hardware. We just have to characterize the hardware we
already have.
There are a at least two reasons why this is the best approach:
* The user regularly tests the hardware and gets it repaired
when it fails,
* The bean counters don't have to pay for extra hardware.
Most of the characterizable entropy comes from things like
thermal noise in the amplifiers and band noise in the radios.
(However, the bands used by cell phone receivers are
characterized by relatively low noise.) The rest is what John
calls "squishy", however we'll mix it in anyway.
If we add hardware to open the input to e.g. the microphone and
cameras, then we run the risk of having it fail in a way that
destroys the entropy, so we want to characterize things with
everything in place. No extra hardware keeps the bean counters
happier too.
Having dedicated hardware for randomness is strictly worse
because we don't have any good tests that show it is still working.
Almost any approach is critically dependent on the mixing
function. I have always assumed that secure hash functions work
well in this application, but I don't know of any proof.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz |The nice thing about standards| Periwinkle
(408)356-8506 |is there are so many to choose| 16345
Englewood Ave
www.pwpconsult.com |from. - Andrew Tanenbaum | Los Gatos,
CA 95032
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
