[Cryptech Tech] Seeking comments on a proposal for changes to the Cryptech RNG design.

Bernd Paysan bernd at net2o.de
Thu Mar 29 10:57:53 UTC 2018

Am Mittwoch, 28. März 2018, 01:32:42 CEST schrieb Peter Gutmann:
> Joachim Strömbergson <joachim.strombergson at assured.se> writes:
> >Note that we second entropy source based on avalanche noise in a PN
> >junction. Designed by Fredrik Thulin.
> Is there a backup non-physical source in case the physical ones fail or are
> persuaded to fail?  If you look at the Capstone RNG, designed by guys who
> really know about failure modes of crypto hardware, they also have a
> CTR-mode PRNG driven from an internal seed, and an internal counter to
> ensure that some state changes occur even if the dynamic
> randomness-generation locks up.  It's a really good belt-and-suspenders
> design, the sort of thing I'd do if given the chance (I'm a big fan of
> safety-oriented redundancy in security designs).

The design already is divided into an entropy source and a CSPRNG, which can 
continue to run even when the entropy source dries out.

Things to discuss (or discussed on Twitter recently https://twitter.com/
BerndPaysan/status/976478349072707584, or here https://twitter.com/Kryptoblog/
status/976440866075238400 as another entry point) are: What can we do to 
improve the CSPRNG, e.g. use entropy expansion with key erasure instead of the 
key-preserving stream cipher we use now, or maybe save away gathered entropy 
in non-volatile memory and fetch it from there at the next startup so that 
even when the entropy sources fail, the seeds generated from them when they 
still were ok can be used to generate more randomness.

Key erasure is a good thing for forward secrecy — you can't obtain a key and 
use it to go back in the stream by counting downwards and thus obtain old 
ephemeral keys or session keys.  Entropy is also required for post-compromise 
security — if your physical entropy fails (a sign of compromise on its own), 
and you continue to work deterministic, the attacker might have obtained your 
seed, and can now generate the same randomness as you.  So if you think about 
failure modes, also think about attack vectors.

It is highly unlikely that you can continue to operate when your in-FPGA 
jitter-based entropy source fails.  How could that happen? Someone must have 
modified your design (poorly, because a smart attacker would have replaced the 
non-deterministic internal entropy with a CSPRNG with attacker-known seed ;-).

It's easier to understand why the reverse biased external diode fails to 
deliver randomness: Short circuit on the board by dust or migration wear by 
being operated in reverse breakdown mode for too long. External components 
have some harmless failure modes.

But in any such failure mode, don't continue to operate without alarm.

Bernd Paysan
"If you want it done right, you have to do it yourself"
net2o id: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ*
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20180329/ea48d9c5/attachment.sig>

More information about the Tech mailing list