[117629] in Cypherpunks
Re: Build a better OTP?
daemon@ATHENA.MIT.EDU (Anonymous)
Tue Sep 7 16:38:13 1999
Date: Tue, 7 Sep 1999 22:20:36 +0200 (CEST)
Message-Id: <199909072020.WAA22641@mail.replay.com>
From: Anonymous <nobody@replay.com>
To: cypherpunks@cyberpass.net
Reply-To: Anonymous <nobody@replay.com>
> Well it would be a rather tempting target for them to compromise. What's
> Intel's market share, 80-90%? And if you can get nearly all the crypto
> software running on those systems all using the same RNG? Even better yet
> one that has not, and most likely will not, be peer reviewed?
But it has been peer reviewed, by what is probably the single group of
people most qualified and most expert in this area, Paul Kocher and his
associates at Cryptography Research.
> I have not talked to Ben or Paul but from Lucky's post:
>
> "Anyway, what Ben and Paul analyzed were the design assumptions, the
> design, and data provided to them by Intel."
>
> It would seem to me that they didn't do any actual testing of the RNG!!
It would? Well, perhaps you should not rely so heavily on what Lucky
says. Perhaps you should ask Paul and Ben, or, hey, here's a thought,
perhaps you should even read the report! It clearly states, in section 4,
that Cryptography Research performed their own series of tests.
> It reminds me of a while back when I noticed a trend of crypto programmers
> switching to the use of /dev/random on the *nix platforms. I decided to
> look into it and see what analysis had been done of the program as I was
> interested in using it for a project. To my surprise very little review
> had been done at all (actually no formal papers had been written on it).
> After bringing it to the attention to the FreeWan group and others an
> intense discussion ensued (actually it's still going on). It got people
> interested in analyzing the program, weaknesses were found when used in
> certain environments, and the author has produced a couple of updates to
> the code to address some of the issues raised.
The difference is that /dev/random had not been subjected to any review,
but the Intel design has. And the CR reviewers are the best in the field.
If they were to look at /dev/random you can be sure they would have shot
it so full of holes it would look like /dev/swisscheese.
> The thought of the majority of crypto dependent on an untested and
> untrustworthy RNG is very scary.
Untested? You mean, you are ignorant of the tests Intel ran on it during
development, the tests Kocher et al ran on it for their analysis, the
tests Intel runs during manufacturing, and the FIPS 140 self tests which
are run on the chip during use?
Untrustworthy? You mean, you are ignorant of the credentials and
qualifications of Cryptography Research for doing this review? Inventors
of timing attacks, differential power analysis attacks, virtual founders
of the whole field of side channel cryptanalysis? Designers of the SSL
v3 protocol, which corrected numerous weaknesses in earlier versions?
There is no other group with more expertise in the actual, practical
implementation of cryptography in the real world of chips and software
and failures. And these experts concluded:
As a result, we believe that the RNG is by far the most reliable
source of secure random data available in the PC.
Look at what they are saying. Not just that the RNG is good, although the
do say that, too. They are saying that it is the best, the most reliable
source of secure random data available on PCs. It is far better than
clumsy workarounds like /dev/random, or the laughable hobbyist attempts
to wire Geiger counters or hook microphones to water fountains as we have
seen suggested here.
The Intel RNG design is rock solid. It reflects a tremendous degree
of sophistication and understanding of the issues on the part of the
designers. No amateur based RNG circuit has anywhere near the quality
of Intel's RNG design. It is a professional effort, and it shows.
It is sad to see that once again cypherpunks are raising objections to
an important advance and improvement in cryptographic technology merely
because it does not conform to their ideological beliefs. The one
saving grace is that the cypherpunks have become so marginalized by
their knee-jerk anti-corporate reactions that their opinions have little
influence any more. Their embarrassing and laughable overreaction to
the Microsoft CAPI keys is a good example. The real experts in the
field, people like Bruce Schneier and Matt Blaze, are left having to
apologize for the ludicrous overstatements of ignorant cypherpunks.
Maybe it's just as well that cypherpunks are abandoning cryptography
for guns and Y2K. Those fields are already so full of crackpots that
a few more won't matter.