On 2014-11-23 09:47, Russell Leidich wrote:
"in your case, hash 128+N samples to get, say, 127.99 bits of entropy
per hash output. N is small, under 20 I think."
Yeah this certainly inspiring with respect to milking decent entropy
from coldbootish environments. If we assume the use of a "good" hash,
then the problem reduces to one of asking how much entropy a sample is
worth.
But this is where Pandora's box opens up: modern systems -- even mobile
phones -- are so complicated that autopseudorandomness can look very
convincingly like a TRNG. For instance, we could have predictable cache
stalls, bus stalls, pipeline stalls, etc. which interact like a decent
PRNG in order to render the appearance of physical entropy even in the
absence of interrupts. But we could still end up with a painfully narrow
set of possible outputs, which would still be too large to perceive. For
instance, our 128-bit random number might be worth only 70 bits, so we
likely wouldn't detect that weakness until it comes back to bite us in
the future.
If there is any true randomness in the system, autopseudorandomness will
mix it with everything else, and so Jytter will collect it.
But in coldboot system, there may well be very little true randomness.
So, every boot image should have its own unique 128 or 256 bit secret
unpredictable to an adversary.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
