[Cryptech Tech] RAM as source of entropy
Steven Bellovin
smb at cs.columbia.edu
Sat Feb 8 22:27:26 UTC 2014
On Feb 8, 2014, at 3:32 AM, Joachim Strömbergson <joachim at secworks.se> wrote:
> Signed PGP part
> Aloha!
>
> Warren Kumari wrote:
> >> Kind of, but I think that there are some important differences --
> >> DRAM is designed to be stable (well, to try minimize the leakage
> >> from the capacitor). A CCD is designed to let the charge escape
> >> from the well.
>
> Yes. That is what I resembles. ;-)
>
> And due to the, in some cases, very long decay times observed for DRAM
> I'm more inclined to try the SRAM initial state mechanism since the
> "decay" can be forced much better.
>
>
> >> Ok, I'll buy that. Powering off and on a large SRAM and reading
> >> the "initial" state might work really well, it would be interesting
> >> to test both and see the entropy and bandwidth from both options.
> >> One of the things that had made me uneasy about the memory option
> >> (other than the slow decay shown be the "Lest we remember" paper
> >> for DRAM) was the fact that many commercial HSMs (supposedly)
> >> continuously move the keying information around in memory to
> >> prevent cells sticking in a last known state. I'd thought I read
> >> something about this effect happening in SRAM as well (but cannot
> >> find the reference at the moment), because of long term diffusion
> >> effects. I had some vague uneasiness that, over time flip-flops
> >> that happen to bias one way or the other would increasingly prefer
> >> that bias. But then agin, I've only been paying very slight
> >> attention to this, basically what seeps in while idly flipping
> >> through IEEE Spectrum on airplanes :-), and so this is probably all
> >> a rathole.
>
> No, I think it is an interesting notion worth keeping in mind (no pun
> intended). We would power the SRAM memory off and on very often so
> something being allowed to stick may not be a problem. But even so,
> actively writing different patterns into the memory in between power
> cycling it might be an important part of avoiding such problems.
>
> It would be really fun doing some correlation measurements between the
> written pattern and the extraction pattern. And having number of power
> off cycles on the x axis.
>
https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman_html/
might have some data on that.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the Tech
mailing list