[Cryptech Tech] Suggested changes to TRNG

Joachim Strömbergson joachim at secworks.se
Wed Sep 30 10:57:39 UTC 2015

Previous message (by thread): [Cryptech Tech] Suggested changes to TRNG
Next message (by thread): [Cryptech Tech] Keeping magic numbers in sync between Verilog and C
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Russ Housley wrote:
> A pause seems prudent, but it is unclear to me how long it should
> be.

Then I'm in good company. ;-)
I'll add the functionality. Add a default value (say 1M cycles, which is
something like 20 ms) and we can then test and see if it works. Not sure
if having this value settable by SW would be meaningful.

>> 2. As a way of applications to add entropy. The fifo in the third 
>> entropy provider can be made available for writing data.
> 
> Is there overlap with (2)?  Is the feedback running all of the time
> or just the first X words?

(2) and (3) are separate changes. But yes, if (2) is present the mixer
will do more work and will consume more entropy. As to (3) should run
all the time or not I'm not sure and I'm happy to hear suggestions.

As I see it, the simplest thing is to basically have it work like a
fifo. When the mixer starts extracting words from the fifo due to
mixing, the entropy provider starts requesting new words from the
CSPRNG. The entropy provider should then have fixed higher priority than
applications. If the mixer runs every second or so, this means that the
entropy provider will steal something like 11 32-bit words every second.

>> (4) Right now the chain is reseeded once after cold start. With
>> the third entropy provider I'm considering changing this to a
>> double reseed. This means that we seed the csprng once, generate
>> enough random values to fill the entropy provider and then reseed
>> again to allow the new 'entropy' be part of the state of the mixer.
>> And when adding the test mode, we make this double reseed how we
>> ensure that the TRNG is placed in a good state for operations
>> again.
> 
> I like the idea that enough fresh entropy is used for the seed.
> Doesn't the feedback in (3) already make sure that happens?

For the first seeding (at start) the third entropy provider will not be
able to provide any values and will be skipped by the mixer. When the
CSPRNG has been seeded once there is words available that can be used by
the third entropy provider.

The idea with (4) is to ensure that what the CSPRNG has been seeded with
is based on a lot of entropy and state that an attacker will has as much
difficulty as possible to control and predict.

Esp after exiting test mode, the time to collect entropy is short and if
an attacker can force full restart by triggering exiting of test mode,
then the attacker knows when to try to affect the entropy sources to try
and control the seed generated by the mixer.

So by seeding with potentially known entropy, feeding back from the
csprng and seeding again we add more state to predict and control in the
mixer. And since no data from the csprng from the first seed is provuded
to applications the attacker can not observe if the control produced any
expected effects.

Now, I'm not sure this attack (forcing exit of test mode) is possible
esp without causing other problems. And we have a mixer based on SHA-512
and a CSPRNG we think is secure. So all this might just add unneeded
complexity. This is why feedback from you and others is so good.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJWC8AjAAoJEF3cfFQkIuyNAoQQAMWqc+BXNhPxTBEbY6txtI2Z
laSIxs8dGZ+iyTNR8TdijhiEeV+EbLahFydYkDr4tzqdbo/JoUhXSrbTus/UAE3A
n4ddldAtrT20YYlrZdmUDZg9xvB+acRgsWylEwtTxe/+C3IMsixQ7RfVGhXD8Rcc
vt3ZjALHMtox5ioEcS2k4SU1I4KFbiCbCJr4gqO7XrXkDgZ9lycL/f+naTEXbxZ7
HSUvusTmkTXi89+z6FAXV79bWY80/tR5t0JH05yFrYoi8fGh8D4gCO/SxrXc3YCR
3ZLrTaqUFHNnSWZ2k/xumNT0zCG7O3hc8572amMBmwT06I60zmW/l+v24UnmIDWv
DNF7iK8zoiZvK7Pn1OP+IlBWjs4tCbrbojRt2+oSXk6YKJqpu8zEWNmgy9rIMt/2
hwxXDDY1apNDwvAKoIHGyJs6wCliUoUa8zQJD72jZ+0uX2Grw6t9S/u4brBuZ3iZ
WtbPP652WRPaTlXgh73YayttGXFn2YbKjI+8qJ8JJRWlSq3KW4IUyaxmYCzKTEIx
flNSKxZxFWjS3+kqF5sKU/7jFFA7xVYrs3ZpJAZXzoGLAAe4k6hCU5t3FgjZ1az+
DEUKCNtHkGNz4Qe7DlNtvltZz1v+t8uzhuZZhJSsEPMwqGUBkxVFlzvXfCIFvVk1
WmNbsIs2pmX5FPVRZVE8
=u1WK
-----END PGP SIGNATURE-----

Previous message (by thread): [Cryptech Tech] Suggested changes to TRNG
Next message (by thread): [Cryptech Tech] Keeping magic numbers in sync between Verilog and C
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list