> http://blog.cr.yp.to/20140205-entropy.html
Thanks for the linkage on the DJB paper, I'll check it out. (skims) Interesting regarding controlling a few bits of the hash. Sounds a lot like a variation on subliminal channels: http://en.wikipedia.org/wiki/Subliminal_channel Aside: Oh dear, there's other RNG mailing lists? Drat. Need to subscribe. I am at odds with him over pure determinism though. I don't think his attack is as important as the attack where one gets the state once and defeats security forever, since his requires active interaction over a long period of time versus a one-time confidentiality loss. I'm interested in the RDRAND/RDSEED design that details testing the HWRNG output directly (pre-whitening); is this it? http://software.intel.com/sites/default/files/m/d/4/1/d/8/441_Intel_R__DRNG_Software_Implementation_Guide_final_Aug7.pdf On Thu, Mar 20, 2014 at 07:11:35PM -0700, coderman wrote: > indeed, this is far more common than not. (that was another aspect of > my grief, we should have had good raw access entropy sources in all of > our microprocessors for many years now!) > > Marsh Ray conveyed a beautiful picture of why this is not so for > entirely reasonable reasons, but it is none the less frustrating. What's the hyperlink/msgid for that? Would like to see. Sorry my idea was hasty 10 years ago and I did a quick modification to it before sending. As you say, it needs a thorough rewrite. No worries on your also-hasty response. And perhaps the whitening step before broadcast (step 5) really is a bad idea; by sending the RNG output directly, one could have each network client verify that it has not suffered a "normal" failure (to whatever test it chooses to run). It also means a passive network monitoring device can monitor the system health. It implies the clients must necessarily whiten it before use to defend against adversaries with LAN access or network sniffers, but that's good design anyway. Obviously no client can ascertain whether the randomness is controlled or predictable by an adversary who hacks the RNG box but that is the nature of the game. Yes, one's experience and POV certainly shape the desired solution, and there is room for many. I've noticed my solutions change from specific and hard-edged to more broad and softer over time. Though I am both happy and sad that my concerns are now widely understood, and that I was vindicated by now-public cryptologic attacks exactly like I described on at least 3 occasions. I think it would be fascinating to go back through my mail archives and see who vociferously argued that those threats were invalid, and what other attempts they might have made to influence opinion and debate in the crypto community. I think that would be a wonderful study in the challenge of finesse. -- http://www.subspacefield.org/~travis/ Remediating... LIKE A BOSS
pgpTTK5hthn3Z.pgp
Description: PGP signature
_______________________________________________ RNG mailing list [email protected] http://lists.bitrot.info/mailman/listinfo/rng
