[149262] in cryptography@c2.net mail archive
Re: [Cryptography] cryptography Digest, Vol 9, Issue 29
daemon@ATHENA.MIT.EDU (Arnold Reinhold)
Wed Jan 29 16:01:25 2014
X-Original-To: cryptography@metzdowd.com
From: Arnold Reinhold <agr@me.com>
In-reply-to: <mailman.1.1391014801.7843.cryptography@metzdowd.com>
Date: Wed, 29 Jan 2014 15:36:16 -0500
To: cryptography@metzdowd.com
Cc: Thierry Moreau <thierry.moreau@connotech.com>,
Bill Stewart <bill.stewart@pobox.com>,
Paul Hoffman <paul.hoffman@vpnc.org>,
"James A. Donald" <jamesd@echeque.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============6974861104133568339==
Content-type: multipart/alternative;
boundary="Apple-Mail=_976EAAEF-48B8-4299-97A8-FA38792F3FDC"
--Apple-Mail=_976EAAEF-48B8-4299-97A8-FA38792F3FDC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
Yesterday's thread on this topic demonstrates what I have been trying to =
say. Everyone thinks they know how to generate random bits for =
cryptography. Everyone thinks the other guy is doing it wrong and =
everyone is looking at the problem through a different lens and =
therefore missing something important. (And i don't exclude my self.)=20
On Wed, 29 Jan 2014 James A. Donald wrote:
> We do, however, know how to do RNG right. We just don't do it right.
>=20
> Use many, many different entropy sources, even ones that are known to=20=
> suck. The attacker cannot predict or control all of them.
I agree, find me a standard that says that.
> =85If your device likely has a solid state drive, so no hard drive=20
> turbulence, then it likely has lots of hardware sources of thermal =
noise=20
> and quantum noise, as for example the android phone.
Mobile phones are easy. The hard case is the large number of "internet =
of things" devices being sold or about to be introduced. (Google did not =
pay $3.2 billion for Nest just to conquer the digital thermostat =
business.) Most of these devices lack a hard drive and many have no =
other obvious source of randomness, especial when they first start up. =
Some will be used in places where they can do real damage.
Paul Hoffman wrote:
> ...On all recent FreeBSDs:
>=20
> # dir /dev | grep random
> crw-rw-rw- 1 root wheel 0x14 Oct 7 07:01 random
> lrwxr-xr-x 1 root wheel 6 Oct 7 14:00 urandom -> random
As I understand it, FreeBSD currently uses Yarrow for both random an =
urandom. See https://wiki.freebsd.org/201308DevSummit/Security/DevRandom =
for a discussion of possible startup problems.
Thierry Moreau wrote:
> There are no economic incentives for a low-cost manufacturer to commit=20=
> to provide a "trusted" source of entropy. Intel did something and now=20=
> their design is suspected of back-door by (a portion of) the very=20
> community that requested something to be done.
Intel hid their entropy source behind a AES-based whitener, a design =
that is ideal for back-dooring. There is no technical or economic reason =
for doing that and it should be considered as suspicious as Dual_EC_RBG =
was. If they had a more transparent design, I suspect they would have =
earned broad community support.=20
As for economic incentives, the only one I can think of is to earn a =
certification stamp. FIPS-140 is both overkill and underkill for such =
devices. We need something better.
>=20
> Somehow this discussion tends to run into circles.
An astute observation. I submit this happens because there is no =
standard or guideline nor a process to get one that has any acceptance. =
I suggested a Wiki as a start. Any other ideas?
Arnold Reinhold=
--Apple-Mail=_976EAAEF-48B8-4299-97A8-FA38792F3FDC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=windows-1252
<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div style=3D"margin: 0px; =
font-size: 12px; ">Yesterday's thread on this topic demonstrates what I =
have been trying to say. Everyone thinks they know how to generate =
random bits for cryptography. Everyone thinks the other guy is doing it =
wrong and everyone is looking at the problem through a different lens =
and therefore missing something important. (And i don't exclude my =
self.) </div><div style=3D"margin: 0px; font-size: 12px; =
"><br></div><div style=3D"margin: 0px; font-size: 12px; ">On Wed, 29 Jan =
2014 James A. Donald wrote:</div><div style=3D"margin: 0px; font-size: =
12px; "><blockquote type=3D"cite"><div style=3D"margin: 0px; ">We do, =
however, know how to do RNG right. We just don't do it right.</div><div =
style=3D"margin: 0px; min-height: 14px; "><br></div><div style=3D"margin: =
0px; ">Use many, many different entropy sources, even ones that are =
known to </div><div style=3D"margin: 0px; ">suck. The =
attacker cannot predict or control all of them.</div></blockquote><div =
style=3D"margin: 0px; font-size: 12px; "><br></div><div style=3D"margin: =
0px; ">I agree, find me a standard that says =
that.</div><div><br></div><blockquote type=3D"cite"><div style=3D"margin: =
0px; ">=85If your device likely has a solid state drive, so no hard =
drive </div><div style=3D"margin: 0px; ">turbulence, then it likely =
has lots of hardware sources of thermal noise </div><div =
style=3D"margin: 0px; ">and quantum noise, as for example the android =
phone.</div></blockquote></div><div style=3D"margin: 0px; font-size: =
12px; min-height: 14px; "><br></div><div style=3D"margin: 0px; =
font-size: 12px; ">Mobile phones are easy. The hard case is the large =
number of "internet of things" devices being sold or about to be =
introduced. (Google did not pay $3.2 billion for Nest just to conquer =
the digital thermostat business.) Most of these devices lack a hard =
drive and many have no other obvious source of randomness, especial when =
they first start up. Some will be used in places where they can do real =
damage.</div><div style=3D"margin: 0px; font-size: 12px; min-height: =
14px; "><br></div><div style=3D"margin: 0px; font-size: 12px; ">Paul =
Hoffman wrote:</div><div style=3D"margin: 0px; font-size: 12px; =
min-height: 14px; "><br></div><div style=3D"margin: 0px; font-size: =
12px; "><blockquote type=3D"cite"><div style=3D"margin: 0px; "><span =
style=3D"color: rgb(16, 97, 200); ">...</span>On all recent =
FreeBSDs:</div><div style=3D"margin: 0px; min-height: 14px; =
"><br></div><div style=3D"margin: 0px; "># dir /dev | grep =
random</div><div style=3D"margin: 0px; ">crw-rw-rw- 1 root =
wheel 0x14 Oct 7 07:01 =
random</div><div style=3D"margin: 0px; ">lrwxr-xr-x 1 root =
wheel 6 Oct 7 =
14:00 urandom -> random</div></blockquote><div><div style=3D"margin: =
0px; "><br></div></div></div><div style=3D"margin: 0px; font-size: 12px; =
">As I understand it, FreeBSD currently uses Yarrow for both random an =
urandom. See <a =
href=3D"https://wiki.freebsd.org/201308DevSummit/Security/DevRandom">https=
://wiki.freebsd.org/201308DevSummit/Security/DevRandom</a> for a =
discussion of possible startup problems.</div><div style=3D"margin: 0px; =
font-size: 12px; min-height: 14px; "><br></div><div style=3D"margin: =
0px; font-size: 12px; ">Thierry Moreau wrote:</div><div style=3D"margin: =
0px; font-size: 12px; min-height: 14px; "><br></div><div style=3D"margin: =
0px; font-size: 12px; "><blockquote type=3D"cite"><div style=3D"margin: =
0px; ">There are no economic incentives for a low-cost manufacturer to =
commit </div><div style=3D"margin: 0px; ">to provide a "trusted" =
source of entropy. Intel did something and now </div><div =
style=3D"margin: 0px; ">their design is suspected of back-door by (a =
portion of) the very </div><div style=3D"margin: 0px; ">community =
that requested something to be done.</div></blockquote><div =
style=3D"margin: 0px; font-size: 12px; "><br></div>Intel hid their =
entropy source behind a AES-based whitener, a design that is ideal for =
back-dooring. There is no technical or economic reason for doing that =
and it should be considered as suspicious as Dual_EC_RBG was. If =
they had a more transparent design, I suspect they would have earned =
broad community support. </div><div style=3D"margin: 0px; =
font-size: 12px; "><br></div><div style=3D"margin: 0px; font-size: 12px; =
">As for economic incentives, the only one I can think of is to earn a =
certification stamp. FIPS-140 is both overkill and underkill for such =
devices. We need something better.</div><div style=3D"margin: 0px; =
font-size: 12px; "><br><blockquote type=3D"cite"><div style=3D"margin: =
0px; min-height: 14px; "><br></div><div style=3D"margin: 0px; ">Somehow =
this discussion tends to run into circles.</div></blockquote><div =
style=3D"margin: 0px; font-size: 12px; "><br></div>An astute =
observation. I submit this happens because there is no standard or =
guideline nor a process to get one that has any acceptance. I =
suggested a Wiki as a start. Any other ideas?<div style=3D"margin: 0px; =
"><br></div><div style=3D"margin: 0px; ">Arnold =
Reinhold</div></div></body></html>=
--Apple-Mail=_976EAAEF-48B8-4299-97A8-FA38792F3FDC--
--===============6974861104133568339==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6974861104133568339==--
