On Tuesday, March 18, 2014 7:17:31 PM UTC-4, D. J. Bernstein wrote: > > Arnold Reinhold writes: > > A determined attacker might be willing to absorb the effort and risk > > to covertly penetrate physical security barriers if doing so will lead > > to a permanent compromise of a one-time-seeded PRNG > > You misunderstand the argument that you're responding to. > > The argument, in the case of side-channel attacks, is _not_ "Don't worry > about side-channel attacks---you aren't being targeted by those." > > The argument is "When a side-channel attacker is stealing your long-term > PGP key, your long-term SSH key, your long-term SSL key, etc., what > exactly do you think you're accomplishing by dribbling fresh entropy > into your RNG? It's too late! You've already lost! Try paying attention > to the actual problem: go back to the system design and start applying > side-channel countermeasures." > > There's an extensive public literature on side-channel attacks and > defenses, notably in the proceedings of the top-tier Cryptographic > Hardware and Embedded Systems conference series. The attacks are much > more expensive for RNGs than for long-term keys (RNG state has far less > interaction with attacker-controlled input, and each state is used only > once), and the defenses are correspondingly easier; anyone capable of > protecting the long-term keys is also capable of protecting the RNG. > > Similar comments apply to other "RNG state compromise" attacks. Sure, > there have been security failures that allowed attackers to read the > system's RNG state, but those failures also allowed attackers to read > long-term keys, and that's a much worse problem. Viewing this as an RNG > issue, and trying to "recover" from it by complicating the RNG, doesn't > make any sense. What makes sense is to address the underlying security > failures, protecting _all_ of the secrets stored in the system. > > > We now have something we never had before, an apparently thorough > > rigorous analysis of the reseeding issue. > > I see no connection between "the reseeding issue" and actual security. > > ---Dan >
I was answering what I perceived as skepticism about the Tempest attack threat, but I would like to respond to your broader point. A random number generator (RNG) is a component of security systems. Electronic signature, symmetric and asymmetric encryption algorithms are other components. The argument seems to be that component A need not be resistant to attack X because critical component B is even more susceptible to X than A is. A counter position is that we should make component A as resistant to X as it can safely be, with reasonable effort, and also try to improve the resistance of component B to X. It’s at least conceivable that credentials can be made less subject to side channel attack. One might, for example, use multi-layer credentials, with the operational credentials changed regularly. Transactions would be signed and encrypted using working keys with a short lifespan. The top level credential would be used very infrequently, limiting its exposure to side channels. The top level credential might also subject to further protections, perhaps stored in a separate module, or encrypted after signing second level credentials, perhaps using a public key of some remote station. That station might then authorize decryption for signing only when the system is under direct supervision. Such a system could recover from a compromise of its short term and intermediate term keys, perhaps in in a time frame comparable to an RNG recovery or even synchronized with the RNG reseeds. It might be argued that any credential compromise is damaging, but the damage from a short term compromise can be limited. A seed-only-once RNG can never recover from a state compromise. The context here is a proposed revision for RFC 4086 Randomness Requirements for Security. If all goes smoothly the new RFC might come out in 2015 or 2016. Any new RNG recommendations it makes will take several years to appear in common operating systems and crypto libraries. Secure systems based on those components will then likely be in the field for a decade or more. That means systems influenced by the new RFC will be operating well into the 2030s. I don’t think we can predict all the uses for unpredictable quantities and possible attacks in that long a time frame. The Dodis paper suggests a sound basis for designing RNGs that recover from state compromise. It remains to be seen if flaws in their reasoning surface and if practical code based on their ideas will emerge free of intellectual property restrictions. But I think it is much too soon to rule out inclusion of such a scheme in the proposed RFC. Arnold Reinhold
_______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
