[117611] in Cypherpunks

home help back first fref pref prev next nref lref last post

Re: Build a better OTP?

daemon@ATHENA.MIT.EDU (William H. Geiger III)
Tue Sep 7 02:21:51 1999

Date: Tue, 7 Sep 1999 02:08:46 -0400
Message-Id: <199909070608.CAA01717@domains.invweb.net>
From: "William H. Geiger III" <whgiii@openpgp.net>
To: Multiple recipients of list <cypherpunks@openpgp.net>
Reply-To: "William H. Geiger III" <whgiii@openpgp.net>

In <19990907001701.Q14325@die.com>, on 09/07/99 
   at 12:17 AM, Dave Emery <die@die.com> said:


>On Mon, Sep 06, 1999 at 01:57:59PM -0700, Lucky Green wrote: > > >They're
>building it into their chip sets so if you buy a new computer > > >you'll
>probably get it automatically.  Soon, random bits will essentially > >
>>be ubiquitous.  Anyone who cares can have all the random numbers he
>> > >wants.
>> >
>> > >The data rate is in the megabytes per hour range so it would take a few
>> > >days to fill a CD.
>> >
>> > Yes but is it trustworthy?
>> 
>> Since Intel won't allow examination by the public of the raw bits, the
>> answer is "most emphatically not".

>	Your phrase  "by the public"  intrigues me.   Does this imply  that
>there is a mechanism to do so that they are refusing to disclose or that
>the only way to get at the raw bits is probing the chip ?

>	Sounds a bit like another tenctacle of the NSA to me... 

Well it would be a rather tempting target for them to compromise. What's
Intel's market share, 80-90%? And if you can get nearly all the crypto
software running on those systems all using the same RNG? Even better yet
one that has not, and most likely will not, be peer reviewed?

While Cryptography's report was interesting, it was far from complete.
It's scant 8 pages (the majority of which was devoted to RNG 101) was more
of an introduction than a full report. It was most definitely not anything
I would use to base my decision of the trustworthiness of Intel's RNG.

I have not talked to Ben or Paul but from Lucky's post:

"Anyway, what Ben and Paul analyzed were the design assumptions, the
design, and data provided to them by Intel." 

It would seem to me that they didn't do any actual testing of the RNG!!

It reminds me of a while back when I noticed a trend of crypto programmers
switching to the use of /dev/random on the *nix platforms. I decided to
look into it and see what analysis had been done of the program as I was
interested in using it for a project. To my surprise very little review
had been done at all (actually no formal papers had been written on it).
After bringing it to the attention to the FreeWan group and others an
intense discussion ensued (actually it's still going on). It got people
interested in analyzing the program, weaknesses were found when used in
certain environments, and the author has produced a couple of updates to
the code to address some of the issues raised.

The point of this is one can not blindly trust any system. Even without
the issue of malicious tampering, it is far too easy for one programmer,
or one group of programmers to make mistakes. In the case of /dev/random &
FreeWan, it seems no one realized that the majority of entropy was
dependent on user input (keyboard/mouse movement) for a crypto program
that for the most part would run on servers with very little user input.

The thought of the majority of crypto dependent on an untested and
untrustworthy RNG is very scary.


-- 
---------------------------------------------------------------
William H. Geiger III  http://www.openpgp.net
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii

Hi Jeff!! :)
---------------------------------------------------------------



home help back first fref pref prev next nref lref last post