On 9/09/13 06:42 AM, James A. Donald wrote:
On 2013-09-09 11:15 AM, Perry E. Metzger wrote:
Lenstra, Heninger and others have both shown mass breaks of keys based
on random number generator flaws in the field. Random number
generators have been the source of a huge number of breaks over time.

Perhaps you don't see the big worry, but real world experience says
it is something everyone else should worry about anyway.

Real world experience is that there is nothing to worry about /if you do
it right/.  And that it is frequently not done right.

When you screw up AES or such, your test vectors fail, your unit test
fails, so you fix it, whereas if you screw up entropy, everything
appears to work fine.


It is hard, perhaps impossible, to have test suite that makes sure that
your entropy collection works.

One can, however, have a test suite that ascertains that on any two runs
of the program, most items collected for entropy are different except
for those that are expected to be the same, and that on any run, any
item collected for entropy does make a difference.

Does your unit test check your entropy collection?

When I audited the process for root key ceremony for CAcert, I worried a fair bit about randomness. I decided the entropy was untestable (therefore unauditable).

So I wrote a process such that several people would bring their own entropy source. E.g., in the one event, 3 sources were used, by independent people on independent machines:

  * I used a sha-stream of laptop camera on dark paper [0]
  * Teus used sound card driver [1]
  * OpenSSL's RNG.

The logic was that as long as one person was honest and had a good source, and as long as our mixing was verifiable, the result would be good.

Then, I wrote a small C program to mix it [2]; as small as possible so a room full of techies could spend no more than 10 minutes checking it on the day [3].

The output of this was then fed into the OpenSSL script to do the root key. (I'm interested if anyone can spot a flaw in this concept.)


[0] This idea from Jon Callas from memory, the idea is that the lack of light and lack of discrimination between pixels drives the photocells into a quantam uncertainty state.
[1] John Denker's sound card driver.
[2] As an amusing sidenote, I accidentally used | to mix the bytes not ^. My eyeball tests passed at 2 sources but at 3 sources it was starting to look decidedly wonky. [3] It was discussed on the group at this time, it was advised that the output of the mix should be sha'd, which I eventually agreed with, but I don't think I did in the event.
The cryptography mailing list

Reply via email to