On Wed, 13 Feb 2008, Dave Korn wrote: > On 11 February 2008 17:37, Crawford Nathan-HMGT87 wrote: > > I'm wondering if they've considered the possibility of EMI skewing > > the operation of the device, or other means of causing the device > > to genearate "less than completely random" numbers. > > Not necessarily a problem, although it does depend on their > design. Even if by saturating the chip in an intense EM field you > can skew the result almost all the way to 1 or 0, won't the standard > debiassing trick of examining successive pairs of bits handle that?
It depends on the attack: Consider John von Neumann's algorithm that, say, outputs the first bit in each pair if bits are different. If you apply EM attack and get 0s almost everywhere 00 00 00 01 00 00 00 10 00 00 10 00 00 but cannot control where 1s are exactly, then JvN corrector helps, but if your EM attack is such that it makes long runs of 0s and 1s 00 00 00 11 11 11 10 00 00 00 01 11 11 and you can detect when the bits are produced then you know exactly what bits are produced (if a bit produced on transition from 0s to 1s then it is 0). Considering speed of nondeterministic RNG, it seems pointless at least for those who go thru FIPS certification. FIPS 140-2 says Commercially available nondeterministic RNGs may be used for the purpose of generating seeds for Approved deterministic RNGs. [...] An Approved RNG shall be used for the generation of cryptographic keys used by an Approved security function. The output from a non-Approved RNG may be used 1) as input (e.g., seed, and seed key) to an Approved deterministic RNG or 2) to generate initialization vectors (IVs) for Approved security function(s). and currently there is no Approved nondeterministic RNG, so the only option is to use nondeterministic RNG to generate seeds for the deterministic one and one does not need MBps speed to generate a seed. But again, comparing a useful feature and a check mark on marketing slides, the latter is doomed to be implemented. -- Regards, ASK --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]