[Cryptech Tech] RAM as source of entropy

Василий Долматов dol at reedcat.net
Fri Feb 7 09:33:41 UTC 2014 

07 февр. 2014 г., в 13:01, Joachim Strömbergson <joachim at secworks.se> написал(а):

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Aloha!
> 
> First: Thanks for your thoughts and suggestions on the entropy source
> solutions.
> 
> 
> Василий Долматов wrote:
>> Due to extreme importance of the quality of randomness for the 
>> security of any cryptography the random source should be extremely 
>> reliable, being the cornerstone of the cryptosystem.
> 
> Yes, there we are in agreement.
> 
> 
>> The only proper  source of randomness now is based upon usage of the 
>> noise diode.
> 
> Is it?
Yes.
> 
> There are imho several proper sources of randomness, the problem is how
> cumbersome they are to use. Radioactive decay, cosmic background
> radiation, hall effects. NISTs for example (claims to) use quantum
> entaglement effects for their randomness beacon:
> 
> http://www.nist.gov/itl/csd/ct/nist_beacon.cfm
> 
> The big problems with a lot of these sources are that they are
> expensive, big, cumbersome to integrate and relies on a lot of support
> structures that can fail and/or be manipulated.
> 
> The noise diode is commonly used in low cost environments because it is
> pretty easy and cheap to integrate.

Sorry, I omit these elaborations and said final result. ;)

> But it is sensitive to ambient
> temperature and the analog circuit can end up (and has been forced)
> close to saturation which affects the entropy quite badly.
> 
> YubiHSM uses avalanche noise, but others for example based on Exar
> (HiFn) design does not, but instead on jitter from multiple internal
> oscillators within the ASICs. And I believe IBM at least in one instance
> have used radioactive decay in a (shielded) HSM.
> 
> 
>> If it is necessary to have couple entropy sources (I can see only
>> one reason for it - the redundancy - but, being sincere I cannot
>> imagine the necessity of entropy sources being redundant in such
>> device, if source fails, it is much more simple way to throw out
>> whole device and replace it with the new one), that could be done by
>> placing two _identical_ sources into the device.
> 
> This is in direct contrast with the discussions going on at
> @cryptography, the DJB list etc where the multiple sources are seen and
> suggested as a mechanism to add difficulty on any attacker due to the
> need to manipulate/force several sources into predictable state
> simultaneously. Not kill the source, just force it to have some bias or
> patterns that can be predicted.
To check properties of output would be enough to found that out and to stop operation.

> And for this reason these sources would
> be based on two different principles. Diode noise and something for
> example. To me, two identical sources sounds very much like security
> theater.
> 
I have said that for me the idea of putting several sources into that simple device is just a «security theatre», the only possible reason which I could _imagine_ is the redundancy, but I have said that to me there is much more convenient and simple way to handle failure of the randomness source. 
In that context, yes, having two identical sources is a kind of «security theatre», having two different sources - is just another flavor of the same cake.

> My thoughts on the entropy sources for Cryptech is two support one or
> more sources. And in our example design we use two sources, but provide
> source templates and documentation to allow users/implementers to extend
> to as many and different sources as they see they need. We won't put a
> requirement on having two or more _different_ sources, but will
> recommend having at least two different sources.

Mixing the output of several «bad» sources will not give «good» result.
Mixing the output of several «bad» sources with «good» source will not give «good» result.
Mixing the output of several «good» sources will not make the result «more good».

The only reason for having several sources is to have possibility to detect the failure of given «good» source and to switch to the other «good» one.

That demands the presence of several «good» sources, which is overkill IMHO for this quite simple device.
> 
> Furthermore my thinking is that we should try to have one external
> source and one internal source of entropy. Internal as inside the FPGA.
> There has been some really interesting research presented at CHES the
> last couple of years on entropy source designs used inside FPGAs.
> 
> The reason I started looking more into the external, dedicated RAM
> solution is due to the less reliance on analog circuitry tuning to get
> good avalanche effect. The SRAM based solution would be easy for a lot
> of users to implement and test. And cheap.

The only «good» source which fits the Cryptech framework is the noise diode. All other alternatives are «bad» ones.
You have been warned. Period.

 dol@


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4815 bytes
Desc: not available
URL: <http://cryptech.is/pipermail/tech/attachments/20140207/eb0277d5/attachment.bin>

More information about the Tech mailing list