[9417] in cryptography@c2.net mail archive
Re: chip-level randomness?
daemon@ATHENA.MIT.EDU (Bill Frantz)
Thu Sep 20 10:21:30 2001
Message-Id: <v03110702b7cf4ebeed23@[165.247.209.101]>
In-Reply-To: <20010919171718.A3201@thunk.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 20 Sep 2001 00:48:46 -0700
To: cryptography@wasabisystems.com
From: Bill Frantz <frantz@pwpconsult.com>
At 2:17 PM -0700 9/19/01, Theodore Tso wrote:
>It turns out that with the Intel 810 RNG, it's even worse because
>there's no way to bypass the hardware "whitening" which the 810 chip
>uses. Hence, if the 810 random number generator fails, and starts
>sending something that's close to a pure 60 HZ sine wave to the
>whitening circuitry, it may be very difficult to detect that this has
>happened.
Does anyone know what algorithm the "whitening" uses? If you apply FIPS
140 to it's output, are you likely to catch the most common failure modes?
(All ones, All zeroes, line frequency dependances?)
Also when reseeding /dev/random, be careful to prevent continuation
attacks. Gather enough entropy in a private buffer before reseeding to
prevent someone who has compromised the state of /dev/random from being
able to calculate the new state by exhaustive search. (I would say 80+
bits would be enough.)
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | The principal effect of| Periwinkle -- Consulting
(408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave.
frantz@pwpconsult.com | fair use. | Los Gatos, CA 95032, USA
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
