[4043] in cryptography@c2.net mail archive
Re: Intel announcements at RSA '99
daemon@ATHENA.MIT.EDU (David Honig)
Fri Jan 22 12:21:22 1999
Date: Fri, 22 Jan 1999 08:03:54 -0800
To: Eric Murray <ericm@lne.com>, cryptography@c2.net
From: David Honig <honig@sprynet.com>
In-Reply-To: <19990121090235.30683@slack.lne.com>
At 09:02 AM 1/21/99 -0800, Eric Murray wrote:
>On Wed, Jan 20, 1999 at 02:42:19PM -0800, David Honig wrote:
>> At 08:56 PM 1/20/99 +0000, Ben Laurie wrote:
>> >Steve Bellovin wrote:
>> >>
>> >> Intel has announced a number of interesting things at the RSA
conference.
>> >> The most important, to me, is the inclusion of a hardware random number
>> >> generator (based on thermal noise) in the Pentium III instruction set.
>> >> They also announced hardware support for IPSEC.
>> >
>> >An interesting question (for me, at least) is: how will I know that the
>> >hardware RNG is really producing stuff based on thermal noise, and not,
>> >say, on the serial number, some secret known to Intel, and a PRNG?
>> >
>>
>> You would have to reverse engineer random samples of the chip to gain
>> *some* confidence. Intel could make this easier by providing
>> their "source" and tool flow, from specs to a HDL to synthesis to layout.
>
>Since PRNGs cycle, with enough output you could tell if a given
>chip is using a PRNG[1].
Impractical. Its easy to build a PRNG with a cycle longer than your lifetime.
You could also correlate output from different
>chips with similar serial numbers, since their seeds would be similar
>(the secret would probably be a fixed value for large numbers of chips
>since it's pretty expensive to put a unique value like a serial number in
>each chip).
But the cryptographic property of a good PRNG (that a single input bit change
is likely to flip half the output bits) makes this untrue.
>If it really worried you, you could use the Intel RNG either as part
>of a seed for your own PRNG with some other software-generated seed
>material (but then you're sinning just a little :-) which would make the
>output difficult to guess even knowing all the seed material from the RNG.
Um, if you don't have a measured physical attribute entering the system,
you're sinning as much as is possible.
>> I suspect there'll be a niche for a Crypto-Underwriter's Labs which
performs
>> 'independent' (like that will ever be agreed upon!) analyses on hardware.
>
>Interestingly, NIST reported yesterday that there's been a huge
>jump recently in FIPS 140-1 certification activity.
NIST is a pawn best left to tending blocks of metal under bell jars, and
does not do chip reverse engineering.
If you like NIST verifying your hardware, you're gonna love the Post Office
being your digital certificate authority.
