[Cryptech Tech] ASIC implementation page on wiki

Benedikt Stockebrand bs at stepladder-it.com
Sun Aug 17 17:56:40 UTC 2014


Hi Peter and list,

Peter Gutmann <pgut001 at cs.auckland.ac.nz> writes:

> Benedikt Stockebrand <bs at stepladder-it.com>
>
>>The problem I see with that is that if we run into problems with some
>>"improved", "low noise" diodes being slipstreamed into production, then we
>>have one hell of a rollback to do.
>
> The solution is to never rely on a single source. 

that's agreed, but at this point we were talking about one of the
individual sources already.

However, I've learned a couple of things from building high availability
systems in the past, and they do apply here just as well:

First of all, never build from crappy components and expect the HA stuff
to magically fix their sorry quality.  If you do, all that happens is
that they eventually fail together and create a really huge mess because
nobody ever bothered to come up with a defined behaviour, let alone a
contingency plan, for this case.  After all, if it's HA, then it isn't
meant to fail...

> If you look at the NSA's Capstone design they use a noise source, an
> ANSI X9.17 generator using a per- device seed, and a counter, and fed
> it all into a SHA-1 whitener/mixer.  This is a good, sound design, any
> one (and, worse-case, even two) of those components can fail and the
> generator will still produce usable output.

Second is that eventually there is always a component that has to make
the decision, in this case the mixer.  You always have something like
that somewhere (possibly in software only), and you are generally well
advised to keep it as simple as possible.  If that's infeasible, then do
with a single component anyway.

Third is that without monitoring, or similar, all that redundancy gets
you are twice as many source component failures to discover and deal
with plus whatever trouble the decision maker/mixer can cause.

> So add two different diodes, a ring oscillator, a counter, and some sort of
> crypto PRNG (everything except the diodes can presumably go on an FPGA/ASIC)
> and hash the output, then you don't need to worry about a change in the
> manufacturing processing killing your entire RNG.

Right, but then you still have to worry that everybody relies on
everybody else to do their jobs right while they themselves don't
necessarily do.


Cheers,

    Benedikt

-- 
Benedikt Stockebrand,                   Stepladder IT Training+Consulting
Dipl.-Inform.                           http://www.stepladder-it.com/

          Business Grade IPv6 --- Consulting, Training, Projects

BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/


More information about the Tech mailing list