[Cryptech Tech] Hardware entropy
Joachim Strömbergson
joachim at secworks.se
Mon May 19 19:47:32 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aloha!
Fredrik Thulin wrote:
> From my understanding the internal entropy would be generated using
> unintented/not really standard stuff existing in FPGAs? Are there any
> potential dangers in having such a source in the Cryptech HSM?
>
> I'm saying this because in my mind I wouldn't be surprised if people
> will end up building HSMs from a number of more or less different
> FPGAs, and it could be catastrophic if some of these (based on model
> differences, batch differences, optimization setting differences or
> whatever) would actually fail to produce entropy.
It sort of depends on how the code is written. But you basically need to
use vendor specific low level intrinsics and/or direct instantiation as
well as layout directives to get good results. This means that one will
have to port the implementation when moving to a new generation, a new
FPGA model and/or vendor.
That is one reason why I don't think a FPGA internal entropy source will
be our base source. I got my hopes on your PN design. ;-)
> Of course, Cryptech has to have mechanisms to ensure the reliability
> of the entropy source(s) anyway... as you already said in other
> e-mails. Maybe that is enough to remove these concerns.
The online tests should be able to detect that the digitized values are
not b0rked. But as Berndt wrote you are basically truying to measure
something that is changing faster than what the test system can react.
- --
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
Joachim Strömbergson Secworks AB joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJTel/UAAoJEF3cfFQkIuyNNYcP/3+RYNjn30Zc6k5u/Zy2JrOz
GI8Hf+mu68WclSbQqXe7KxFjsvz/zdp+1MrzmcNgTxRMVvJAxbW6vxP1aWuabGf3
xQXsCQusB32Q/w0vxQ+BgCndt3S7ln4R0a8sjp515QXnorIlmGraq6YoM/CF84BX
/R61ErL1sVpwgtDTE35521lMZoKK8OpCu24OCrPB60dBrInvrEe2sA6l64KFxiPB
Ws3GP7OSLqQrR4KtKiP0YKcNh8KK6Rt9/8aqpug0y4ct3OKp+8eDeMpZ7seSzhdd
to8eknvMEq8U3zrbyyQioOcvfiPktqzRpI6+yugGSg78qKrziOESXGfNBzD2Gu9w
5ui64DE5TJ6PiPpvEkSUvna2SZUlQ8Ztn7M+XahfxNFynhIDfjSaqGnBOw4YQ/f9
PhGXZkoou/YV4ed7RyeX6HbfBpMMALuhZ3Jf5nkVhJl/u3Jfp5CQdc9XHQZRooTH
W+gbHp9kgd1KFgNpd1OJQWZ2891FJiylRnLRmQlwEIv9yUlymHH0zkWgCF7J4VfK
21/pmB9sxYi7UPZI50xbfme3TTN3M1VC7t1oKxjXBdmoQV8z5YwebpCd2gXnYNBg
hn/ijNqA7YAQ9Q7gPFuGsh2Q2GbZEq3yWZyqNVBF0PTBiKA8Fmi14BLegCcuJb7g
jB28c9KbN4Ip/0js1udk
=wdES
-----END PGP SIGNATURE-----
More information about the Tech
mailing list