On 09/07/2010 12:58 PM, John Denker wrote:
On 09/07/2010 10:21 AM, Marsh Ray wrote:
If anybody can think of a practical attack against the randomness
of a thermal noise source, please let us know. By "practical" I
mean to exclude attacks that use such stupendous resources that
it would be far easier to attack other elements of the system.
Blast it with RF for one.
1) This is not an argument in favor of quantum noise over
thermal noise, because the same attack would be at least
as effective against quantum noise.
2) You can shield things so as to make this attack very,
The point is that this it's a generic, relatively low-tech attack that
is likely to be effective against a straightforward implementation of
the general idea.
3) The attack is detectable long before it is effective,
whereupon you can shut down the RNG, so it is at best a
Only if the engineers know about it and spend the resources to build in
such resistances to it. So the system which consumes the entropy also as
to look for the "I'm not producing any more entropy" signal as well. The
proper operation of this signaling has to part of the test process. So
now there needs to be a way to simulate the attack scenario for testing.
Presumably this becomes another input to the system which itself must be
test. All this adds time, cost, and complexity and it's not surprising
that they don't always get it perfect.
There is some evidence that engineers designing chips that go into
actual products (little stuff like girls' toys and smart grid power
meters) aren't familiar with this:
"This graph shows the counts of individual seed bytes in a poor random
number generator. The sample width is a single integer, and the RNG byte
is expected to be one of the very few spikes presented on this graph."
Note that the above description is a little confusing because there are
multiple problems going on here. The "seed bytes" are coming from a
poorly engineered radio source and are also going into a "poor random
Here's a better description:
And then you have to compare it against
other brute-force DoS attacks, such as shooting the
computer with an AK-47.
Well, the idea of physical stress attacks is that you get the system to
do something it isn't supposed to do (e.g., sign with a weak nonce).
Typically the natural thermal noise amounts to just a few millivolts,
and so requires a relatively sensitive A/D converter. This makes it
susceptible to injected "unnatural noise" overloading the conversion and
changing most of the output bits to predictable values.
Even the cheapest of consumer-grade converters has 16 bits of
resolution, which is enough to resolve the thermal noise and
still have _two or three orders of magnitude_ of headroom.
Were they engineered for use with crypto to resist attack? Were they
tested in an actively hostile RF environment?
It's really unwise to try to reason about the behavior of complex
systems like digitial circuitry when operated outside of its absolute
maximum specifications. You'd have to re-qualify them for such use.
you are really worried about this, studio-grade stuff is still
quite affordable, and has even more headroom and better shielding.
And it will not get built into any product if it costs $0.01 more unless
the hardware engineer is unable to justify the additional expense.
How much RF are we talking about here?
Probably very little if the engineer didn't take special precautions.
Also the attacker gets to choose the frequency and direction from which
the device is most susceptible and combine this will all other
techniques simultaneously. For example, perhaps would run current
through the external shielding or expose it to a static magnetic field
(thus heating it or saturating its magnetic permeability).
At some point you can
undoubtedly DoS the RNG ... but I suspect the same amount of
RF would fry most of the computers, phones, and ipods in the
So the attacker leaves his ipod out of the faraday cage in which he's
abusing the smart card or DRM device.
Is the RF attack in any way preferable to the AK-47 attack?
The attacker doesn't necessarily have to completely eliminate all
entropy from the output, just enough that he can make up the difference
with brute force or analytic techniques.
"Changes from Revision Original (September 2009) to Revision A" "Removed
sentence that pseudorandom data can be used for security."
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com