[29706] in cryptography@c2.net mail archive
Re: Use of TPM chip for RNG?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Jul 4 23:22:31 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 04 Jul 2006 23:55:24 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: cryptography@metzdowd.com, hal@finney.org
In-Reply-To: <E1FxEDO-0000GF-00@medusa01.cs.auckland.ac.nz>
Peter Gutmann wrote:
> hal@finney.org ("Hal Finney") writes:
>
>> A few weeks ago I asked for information on using the increasingly prevalent
>> built-in TPM chips in computers (especially laptops) as a random number
>> source.
>
> You have to be pretty careful here. Most of the TPM chips are just rebadged
> smart cards, and the RNGs on those are often rather dubious. A standard
> technique is to repeatedly encrypt some stored seed with an onboard block
> cipher (e.g. DES) as your "RNG". Beyond the obvious attacks (DES as a PRNG
> isn't particularly strong) there are the usual paranoia concerns (how do we
> know the manufacturer doesn't keep a log of the seed and key?) and stupidity
> concerns (all devices use the same hardwired key, which some manufacturers
> have done in the past). There are also active attacks possible, e.g. request
> values from the device until the EEPROM locks up, after which you get constant
> "random" values. Finally, some devices have badly-designed challenge-response
> protocols that give you an infinite amount of RNG output to analyse, as well
> as helping cycle the RNG to lockup.
Glad to see some new information in a thread that is otherwise giving me
a huge sense of deja vu. So ... where are these rebadged smartcards
deployed? Who rebadges them?
>
> So the only hardware RNG I'd trust is one of the noise-based ones on full-
> scale crypto processors like the Broadcom or HiFn devices, or the Via x86's.
> There are some smart-card vendors who've tried to replicate this type of
> generator in a card form-factor device, but from what little technical info is
> available about generators on smart cards it seems to be mostly smoke and
> mirrors.
>
> (As an extension of this, the lack of access to a TPM's RNG isn't really any
> great loss. If it's there, you can mix it opportunistically into your own
> RNG, but I wouldn't rely on it).
+1.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
