Peter Gutmann wrote: > [EMAIL PROTECTED] ("Hal Finney") writes: > >> A few weeks ago I asked for information on using the increasingly prevalent >> built-in TPM chips in computers (especially laptops) as a random number >> source. > > You have to be pretty careful here. Most of the TPM chips are just rebadged > smart cards, and the RNGs on those are often rather dubious. A standard > technique is to repeatedly encrypt some stored seed with an onboard block > cipher (e.g. DES) as your "RNG". Beyond the obvious attacks (DES as a PRNG > isn't particularly strong) there are the usual paranoia concerns (how do we > know the manufacturer doesn't keep a log of the seed and key?) and stupidity > concerns (all devices use the same hardwired key, which some manufacturers > have done in the past). There are also active attacks possible, e.g. request > values from the device until the EEPROM locks up, after which you get constant > "random" values. Finally, some devices have badly-designed challenge-response > protocols that give you an infinite amount of RNG output to analyse, as well > as helping cycle the RNG to lockup.
Glad to see some new information in a thread that is otherwise giving me a huge sense of deja vu. So ... where are these rebadged smartcards deployed? Who rebadges them? > > So the only hardware RNG I'd trust is one of the noise-based ones on full- > scale crypto processors like the Broadcom or HiFn devices, or the Via x86's. > There are some smart-card vendors who've tried to replicate this type of > generator in a card form-factor device, but from what little technical info is > available about generators on smart cards it seems to be mostly smoke and > mirrors. > > (As an extension of this, the lack of access to a TPM's RNG isn't really any > great loss. If it's there, you can mix it opportunistically into your own > RNG, but I wouldn't rely on it). +1. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]