[117639] in Cypherpunks

home help back first fref pref prev next nref lref last post

Hardware RNG Verification

daemon@ATHENA.MIT.EDU (lcs Mixmaster Remailer)
Tue Sep 7 18:56:47 1999

Date: 7 Sep 1999 22:40:08 -0000
Message-ID: <19990907224008.30761.qmail@nym.alias.net>
To: cypherpunks@cyberpass.net
From: lcs Mixmaster Remailer <mix@anon.lcs.mit.edu>
Reply-To: lcs Mixmaster Remailer <mix@anon.lcs.mit.edu>

The Re: Build a better OTP thread has gotten out of control.

Simple statement, accept or reject:
A hardware RNG should come with complete operating specs, and with the ability to observe pre-whitened bits if this doesn't cause undue difficulty in the hardware design.

premises:
1.If complete specs are provided,several competing verification
programs will be produced and source made available. This is good because any idiot with a compiler can verify that the RNG is behaving reasonably,admittedly for a different value of 'reasonably' depending on the particular idiot in question, and a marginally more sophistated user can add his own whitening stages to a sufficiently high level of paranoia.

2. While Ben and Paul undoubtedly did a laudable job,assuming that even the next run of chips will be in compliance is probably something they won't be paid to re-verify.  Intel,4 years from now: oops, this wire slipped over here on the second production run and now the rng is a just the CPU serial number and 20 bits of system time run through SHA.This doesn't have to be NSA paranoia stuff, it's quite plausible for an honest mistake in layout or fab change by some non-crypto expert chip engineer could introduce problems.

3.Common Implementation issues.If I can test it myself and see how much entropy is in the prewhitened output, I can use a different threshhold for entropy/bit than the designers planned on.Maybe I even want LESS, if I just need to randomize a simulation.In this case software can be much more efficient by not asking for more than it needs.

a real world example:
I'm a web site maintainer and need lots of random session keys.I have assured physical security through other means. I need to preserve a large random number pool to get keys from.If I have specs for the random number generator,I can refresh my pool in a way that's optimal for my needs, rather than passing it once through SHA by Intel's driver and once more when I use my pool to get numbers.

adequate verification when someone sells you a computer:
Ok, it loads Linux and seems to run my word processor.I'll take it.

Intel's suggested verification process for a security product:
Well,Intel's experts did an evaluation last year and say it's good.Intel swears it's good.Bill G swears by it.I'll take it.

I don't think so.Security products:I wanna look inside.otherwise no sale.


Monger.


home help back first fref pref prev next nref lref last post