[149200] in cryptography@c2.net mail archive
Re: [Cryptography] Auditing rngs
daemon@ATHENA.MIT.EDU (ianG)
Wed Jan 22 02:11:57 2014
X-Original-To: cryptography@metzdowd.com
Date: Wed, 22 Jan 2014 10:06:07 +0300
From: ianG <iang@iang.org>
To: John Kelsey <crypto.jmk@gmail.com>, Kent Borg <kentborg@borg.org>
In-Reply-To: <936A06C8-2200-42FC-97B8-41FA4C01261D@gmail.com>
Cc: Philip Shaw <wahspilihp@gmail.com>, Tom Mitchell <mitch@niftyegg.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Bill Frantz <frantz@pwpconsult.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 21/01/14 20:55 PM, John Kelsey wrote:
> It seems like it should be relatively straightforward to do a cut and choose style audit on a random bit generator. However, the functionality you would need for this would also be a hell of an attack point, so it's a mixed bag.
>
> Imagine you have an HSM that has its own entropy source. We want to have it do something that requires randomness, say generate an RSA key. So we do the following:
How about this variant. Let's have the HSM have its own entropy source.
But let's expand the scope to multiple HSMs (which are required anyway).
HSM1 is put into key generation mode. HSM2 is put into RNG/audit mode.
HSM2 collects the entropy, processes it into an RN stream, escrows it,
and passes it to HSM1
HSM1 reads in the RN stream, and creates the key.
HSM1 then passes the key back to HSM2 which then verifies the key and
verifies that it was deterministically.
If the HSMs follow the same protocol, then they can be used to verify
each other.
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
