[29707] in cryptography@c2.net mail archive
Re: Use of TPM chip for RNG?
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Tue Jul 4 23:22:49 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 4 Jul 2006 17:49:25 -0400
From: Thor Lancelot Simon <tls@rek.tjls.com>
To: Anne & Lynn Wheeler <lynn@garlic.com>, f@panix.com
Cc: cryptography@metzdowd.com
Reply-To: tls@rek.tjls.com
In-Reply-To: <44A948A1.1090002@garlic.com>
On Mon, Jul 03, 2006 at 10:41:05AM -0600, Anne & Lynn Wheeler wrote:
>
> however, at least some of the TPM chips have RNGs that have some level
> of certification (although you might have to do some investigation to
> find out what specific chip is being used for TPM).
See one of the examples in my other message today in this thread (subject
changed as an aid to new readers) for an example of why you should *not*
trust such certifications as evidence that the RNG is any good.
Summary: I have encountered one such RNG that was FIPS-140 certified as
a Deterministic RNG but whose "hardware" inputs the vendor refused to
disclose, which I find extremely suspicious. It is possible to get a
DRNG certified without careful analysis of what its input is; I have
personally seen this happen and heard of more instances even after NIST
gave specific guidance to the contrary.
--
Thor Lancelot Simon tls@rek.tjls.com
"We cannot usually in social life pursue a single value or a single moral
aim, untroubled by the need to compromise with others." - H.L.A. Hart
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
