[Cryptech Tech] User auditable hardware entropy source/random number generator

[Benedikt Stockebrand]

Hi Joachim and list,

Joachim Strömbergson <joachim at secworks.se> writes:

> What I think Fredrik had in mind was to use a MCU to implement control
> and sampling of the entropy source. The idea is to have HW-blocks in the
> FPGA that contains on-line tests (subset of AIS31 is my idea at the
> moment) and then any decorrelation, bias adjustment, whitening before
> providing the values to the mixer.

two questions right away: What is AIS31, and what exactly do you mean
with "whitening" (so far I'd assumed it was some spectrum adjustment,
but as I understand it that would need to be done before going digital)?

Sorry about asking questions like that, but I still have to synchronize
with your terminology and generally known background information.

> So half of what you are thinking of putting in the MCU would go into the
> FPGA. But that is not written in stone or anything.

Well, if we already have to use an FPGA for the actual crypto
functionality, then we should try to do without an additional MCU.  It's
just that I'm not (yet) familiar with the requirements and limitations
of FPGAs, so whatever I come up with on the HWRNG-only, MCU based side,
may need some massaging to work with an FPGA.

And, even if at the risk of unintentionally stepping on people's toes: I
do intend to continue with my original HWRNG-only thing, simply because
I expect it to be way easier to audit than an FPGA based full-scale HSM
and as such fill another set of requirements.

> As long as the interface provides read access to the raw data (before
> massaging) and an IRQ if the on-line tests fails one could implement
> it all in the MCU.

Whatever you need.  However, the term "raw data" at this point is
imprecise.  I use several layers of "processing" (big word for little
action) to turn that into a random (i.e. unbiased, uncorrelated)
bit/byte stream.  If we still do this in a separate MCU, we can provide
access to its data at any level as long as the interface can handle the
load.  

I guess that I'll have to write up some more details on how I do all
this.  But not on a friday evening...


Cheers,

    Benedikt

PS: I just proposed a talk on secure crypto hardware in general to the
    DENOG meeting in November.  Unless anybody would rather have me shut
    up on it (and I won't pose as a spokesman for the project) I'll try
    to make the project more widely known.  Is that OK with everyone?

-- 
Benedikt Stockebrand,                   Stepladder IT Training+Consulting
Dipl.-Inform.                           http://www.stepladder-it.com/

          Business Grade IPv6 --- Consulting, Training, Projects

BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/