On Wed, Jan 20, 1999 at 02:42:19PM -0800, David Honig wrote:
> At 08:56 PM 1/20/99 +0000, Ben Laurie wrote:
> >Steve Bellovin wrote:
> >>
> >> Intel has announced a number of interesting things at the RSA conference.
> >> The most important, to me, is the inclusion of a hardware random number
> >> generator (based on thermal noise) in the Pentium III instruction set.
> >> They also announced hardware support for IPSEC.
> >
> >An interesting question (for me, at least) is: how will I know that the
> >hardware RNG is really producing stuff based on thermal noise, and not,
> >say, on the serial number, some secret known to Intel, and a PRNG?
> >
>
> You would have to reverse engineer random samples of the chip to gain
> *some* confidence. Intel could make this easier by providing
> their "source" and tool flow, from specs to a HDL to synthesis to layout.
Since PRNGs cycle, with enough output you could tell if a given
chip is using a PRNG[1]. You could also correlate output from different
chips with similar serial numbers, since their seeds would be similar
(the secret would probably be a fixed value for large numbers of chips
since it's pretty expensive to put a unique value like a serial number in
each chip).
If it really worried you, you could use the Intel RNG either as part
of a seed for your own PRNG with some other software-generated seed
material (but then you're sinning just a little :-) which would make the
output difficult to guess even knowing all the seed material from the RNG.
> I suspect there'll be a niche for a Crypto-Underwriter's Labs which performs
> 'independent' (like that will ever be agreed upon!) analyses on hardware.
Interestingly, NIST reported yesterday that there's been a huge
jump recently in FIPS 140-1 certification activity.
The question I have about Intel's announcement is about the s/n. If
software vendors use it to ID various bits of software (or as your
ID into a chat room, the example used by the Intel exec announcing the stuff)
how are you going to keep hackers from diddling the software that
calls the chip s/n routine to make it return whatever they want?
Other systems which have had unit s/ns (i.e. Sun's hostid) have been
hacked, not in the hardware, but in the software which called the
routine. Some hacks were pretty sophisticated, letting the user
set the hostid for each process group and supporting numerous
hostids per real host. All of this pretty much defeated the
node locking which the software vendors and Sun had intended to happen.
1. assuming that the RNG produces output fast enough since good PRNGs
have long cycles. You wouldn't have to store all the output, just
the beginning X bytes to detect the start of the next cycle.
--
Eric Murray N*Able Technologies www.nabletech.com
(email: ericm at the sites lne.com or nabletech.com) PGP keyid:E03F65E5
