[140326] in cryptography@c2.net mail archive
Re: CPRNGs are still an issue.
daemon@ATHENA.MIT.EDU (Damien Miller)
Wed Dec 17 12:20:20 2008
Date: Wed, 17 Dec 2008 09:42:38 +1100 (EST)
From: Damien Miller <djm@mindrot.org>
To: "mheyman@gmail.com" <mheyman@gmail.com>
cc: "James A. Donald" <jamesd@echeque.com>, cryptography@metzdowd.com
In-Reply-To: <5c8fcb9c0812160741s68ec27e3t5fe5809ec3e2ef@mail.gmail.com>
On Tue, 16 Dec 2008, mheyman@gmail.com wrote:
> On Thu, Dec 11, 2008 at 8:42 PM, Damien Miller <djm@mindrot.org> wrote:
> > On Thu, 11 Dec 2008, James A. Donald wrote:
> >
> >> If one uses a higher resolution counter - sub
> >> microsecond - and times multiple disk accesses, one gets
> >> true physical randomness, since disk access times are
> >> effected by turbulence, which is physically true
> >> random.
> >
> > Until someone runs your software on a SSD instead of a HDD. Oops.
> >
> Before we give up on using drive timings, does anyone have evidence to
> verify this assertion? The reviews I have seen using tools like HD
> Tune and HD Tach seem to show timing noise reading and writing SSDs. I
> don't know where the noise comes from - it is probably not turbulence
> <grin/> - but it may be random enough that a long series of tests, say
> for a second or so (don't forget, these drives are fast), could
> provide a nice pool of unguessable bits.
I think you have it quite backwards - in the absence of good evidence
that transaction timings on SSDs are dependent on some physically
unpredictable process (air turbulence, shot noise, etc.) then they
should not be considered suitable for cryptographic use, no matter how
"random looking" they are.
-d
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
