[13011] in cryptography@c2.net mail archive
Re: Via puts RNGs on new processors
daemon@ATHENA.MIT.EDU (John Kelsey)
Thu Apr 10 11:11:20 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
Date: Wed, 09 Apr 2003 23:57:07 -0400
To: daw@mozart.cs.berkeley.edu (David Wagner),
cryptography@wasabisystems.com
From: John Kelsey <kelsey.j@ix.netcom.com>
In-Reply-To: <b71dph$roa$1@abraham.cs.berkeley.edu>
At 03:21 PM 4/9/03 +0000, David Wagner wrote:
>Ian Grigg wrote:
> >My world view would be that there is no such
> >thing as an acceptable off-the-shelf RNG.
>
>Why not? You rely on an off-the-shelf CPU, don't you?
>The CPU must be trusted just as much as the RNG.
It depends on what you're worried about, right? RNG failures can be pretty
subtle, and may be impossible to detect in software. If the RNG fails, it
might be nice to still get reasonable security.
Though it's not like it's easy to have unlimited faith in software-based
entropy collection processes, either....
More generally, malevolently altered CPUs make a different set of attacks
possible; they're more likely to either be interactive attacks, or to be
observable in the CPU's behavior. Like, if your CPU notices whenever a
3DES encryption is being done, and only does single-DES instead, it will be
easy to catch. If the CPU has some backdoor to get it into supervisor mode
whenever a certain 64-bit value appears on the memory bus, that's likely to
be useful for some attacks, but not for others. (It won't help you decrypt
a stored, encrypted file somewhere.)
--John Kelsey, kelsey.j@ix.netcom.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
