Peter Gutmann wrote:
You have to be pretty careful here. Most of the TPM chips are just rebadged smart cards, and the RNGs on those are often rather dubious. A standard technique is to repeatedly encrypt some stored seed with an onboard block cipher (e.g. DES) as your "RNG". Beyond the obvious attacks (DES as a PRNG isn't particularly strong) there are the usual paranoia concerns (how do we know the manufacturer doesn't keep a log of the seed and key?) and stupidity concerns (all devices use the same hardwired key, which some manufacturers have done in the past). There are also active attacks possible, e.g. request values from the device until the EEPROM locks up, after which you get constant "random" values. Finally, some devices have badly-designed challenge-response protocols that give you an infinite amount of RNG output to analyse, as well as helping cycle the RNG to lockup.
One of the issues for a long time for that class of chips is whether on-chip key-gen and/or supported DSA (and/or ECDSA) were in use ... processes where reasonable good RNG are integral to the operation.
at one point there was tests for a collection of chips in that class that perform 65k power-cycle/RNG operations and found that something like 30 percent of the numbers were repeated.
however, at least some of the TPM chips have RNGs that have some level of certification (although you might have to do some investigation to find out what specific chip is being used for TPM).
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
