On 23/06/12 03:06 AM, Marsh Ray wrote:
On 06/21/2012 09:05 PM, ianG wrote:
On 22/06/12 06:53 AM, Michael Nelson wrote:
"At the output of the DRBG, through RdRand, you have no visibility
of these processes. We seek to limit the side channels through
which an attacker could determine the internal state of the DRNG."
Good answer!
This be the right choice, but I can't figure out how it's different from
security-through-obscurity.
I don't see it as much different although we could discuss the precise
semantics.
The thing is, security-thru-obscurity is neither an absolute nor always
good. It's a principle; it happens to be a good thing when there is too
much secrecy. But it also happens to be a valuable part of security
models in contexts where secrecy can work for the defender.
And, now it is possible to see a case where even if we didn't need the
secrecy for administrative reasons, random number generation may want to
keep the seed input to the DRBG secret.
In that sense, maybe it is secrecy like private keys are secrets?
I suppose that if the rng was shared between multiple processes,
and if a malicious process could read the internal state, then it
could predict what another process was going to be given in the
near future.
That said, I think that it's a natural factoring to let the user
see the bits directly from the hardware source, before any
massaging. Perhaps this could be a mode.
Perhaps another way to phrase it is providing a different source of
(raw, unconditioned) entropy for folks who already have a software pool
which requires entropy estimates on the incoming data.
Such people also have an ability to mix in multiple sources, and are
well used to such. So yes, raw entropy is good, but we are so used to
skepticism about the pureness of our source that we've given up the
demand for it.
...
So what you get is what you get. Love it or leave it. [...] So we
have a situation where we can rely on the chip to do what is
advertised, but we can't rely on the manufacturer to give us exactly
the chip that they advertised.
The same is true of the instructions handling our private key material
though, right? They could all be backdoored to leak info through some
secret side channel. What's special about the RdRand instruction?
Yes. So if they are backdoored, why bother to prove the quality? In
situations like this, the reputation of the manufacturer provides a
reasonable guarantee.
Is it that random number generation is considered 'in scope' for
cryptography whereas ALU backdoors are not?
Hmmm good question. I think cryptography, at least the civil form we
know of, got a bit burnt in the 1990s by following an 'in scope' threat
model. RNGs are in scope, and some models I have seen indicate ALUs are
in scope too (or fudged chips or dodgy network cards, etc). Side
channel attacks are now in scope, perhaps due to CRI's original work.
Perhaps we're just waiting for an ALU attack to come out, a la recent
revelations.
Is it that it seems more practical to engineer a weak key attack from
weak entropy source?
That weak key generation produces exposure that persists across space
and time via the ciphertext?
The history of cryptographic attacks by NSA seems to indicate a love of
weak RNGs. If I was them, I'd lay down a lotta moola for a predictable
chip RNG, and a compliant population.
That's just my thoughts.
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
