Re: Toshiba shows 2Mbps hardware RNG
Peter Gutmann wrote: David G. Koontz [EMAIL PROTECTED] writes: Military silicon already has RNG on chip (e.g. AIM, Advanced INFOSEC Machine, Motorola), That's only a part of it. Military silicon has a hardware RNG on chip alongside a range of other things because they know full well that you can't trust only a hardware/noise-based RNG, there are too many variables and too many things that can go wrong with that single source. That's why I was sceptical of the we've solved the RNG problem with our custom hardware claim, they've created one possible source of input but not a universal solution. Peter. Peter, you've just hit on something that's genuinely confused me for quite some time. Combining hash functions has always seemed naive -- the problem with chaining two different functions is that it creates a midpoint; you can collide half the bitspace independently of the other half. Better to just thoroughly mix them both. But shouldn't it be an improvement to XOR a theoretically correct RNG with a well seeded PRNG, based on the theory that: 1) Either generator could be safely XOR'd against a repeated series of 0x41's, and the output would still be just as random 2) The flaws of a subtlety broken RNG would be difficult to exploit through the noise of a sufficiently validated cryptographic function, and vice versa For example, the following construction: Start with an RNG. Retrieve 64K of random data. Assume there might be a bias somewhere in there, but that at least 256 bits are good. SHA-256 the data. AES-256 encrypt the data with the result from the SHA-256. XOR the random data against its encrypted self. Return 64K of PNRG-hardened RNG data. Aside from the obvious rejoinder to maybe XOR *another* batch of entropy against the previous batch's encrypted self (a change that halves performance), I can't see much wrong. I rather deeply doubt I'm the first to come up with a suggestion like that either. So, uh, why do weak RNG's keep showing up? Is there something fundamentally breakable in the above design? --Dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
kit to prevent computers from losing power during seizure.
It appears that disk encryption techniques are spawning technical responses. This gadget lets law enforcement take a computer without ever turning off the power. http://www.wiebetech.com/products/HotPlug.php Countermeasures are, of course, quite possible. [Hat tip: Bruce Schneier's blog.] -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: House o' Shame: Amtrak
Not just Amtrak. The Economist and The New Yorker both do the same thing. I tried engaging them in a discussion on the subject. The Economist never replied, whereas the New Yorker assured me that those addresses were indeed theirs. I haven't figured out how to get past the clueless people whose job is not to be clueful and engage the clueless people whose job should be to be clueful. /ji - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: House o' Shame: Amtrak
Perry E. Metzger [EMAIL PROTECTED] writes: Steve Bellovin documents on his blog a recent attempt by Amtrak to teach its customers to be phishing victims: http://www.cs.columbia.edu/~smb/blog/2008-02/2008-02-13.html From the blog: The next problem, though, is that the message asks people to log in by clicking a link in the message: Go to Amtrak.com now and update your profile http://amtrak.bfi0.com/. It's not just Amtrak that do that, CapitalOne also send out phishing email directing users to bfi0.com. Lesson for phishers: If you want your phish to seem more legit, outsource it to Bigfoot Interactive, which seems to lead back to Epsilon Agency Services, who specialise in... well, phishing, but for the good guys. I bet the Russian Business Network could do it for less though :-). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Toshiba shows 2Mbps hardware RNG
On Wed, 13 Feb 2008 20:38:49 -0800 [EMAIL PROTECTED] wrote: - Original Message - From: Pat Farrell [EMAIL PROTECTED] To: Subject: Re: Toshiba shows 2Mbps hardware RNG Date: Sun, 10 Feb 2008 17:40:19 -0500 Perry E. Metzger wrote: [EMAIL PROTECTED] (Peter Gutmann) writes: I've always wondered why RNG speed is such a big deal for anything but a few highly specialised applications. Perhaps it isn't, but any hardware RNG is probably better than none for many apps, and they've managed to put the whole thing in a quite small bit of silicon. The speed is probably icing on the cake. One of the benefits of speed is that you can use cleanup code to control bias. Carl Ellison put some out on his website last century. It is a HUGE win for designing a crypto system to have a really fast (and good) HW RNG. Being able to generate 10-20,000 AES keys per second means that you can engineer things that were impossible to do otherwise. You can generate as many keys as you like, throw away keys after one time use, treat them as ephemeral authentication keys (say give a few million or so to a user), etc. Or you could hand a sender 10 MBytes (less than a minute to generate), which then can be used to create billions of keys (say using Ueli Maurer's Bounded Storage Model). The sender could then use each key to uniquely encrypt (AES CTR) each message of a series of messages or packets to a receiver (AES key setup is fast). No need for an IV or worrying about message ordering (each one has a key id), or even the compromise of a key or two. Randomness is the most fundamental underpinning of a crypto system and having lots of it on demand is really fabulous to have in our system security design tool box. Leaving aside whether or not your scenarios make sense, why must this be done via a hardware RNG? I ran 'openssl speed aes' on a 3.4 Ghz single-core Pentium. On 16-byte blocks with AES-128 -- i.e., running AES in counter mode to generate 128-bit keys -- it ran at about 3.4M encryptions/second. That's more than two orders of magnitude better than you say is needed. Why do I need hardware? Hardware RNGs are great for producing initial seeds. They're also great for producing new randomness to stir into the pot (i.e., via something like Yarrow). But they're lousy for ongoing work because they're relatively low assurance. As others have noted, software has a big advantage: it's deterministic. Once you know its working, you have much higher assurance that it will continue to work the same way. (Aside: I know quite a bit about the problem of certifying complex software. A cryptographically strong PRNG doesn't fall into that category if you have confidence in the algorithm.) Remember the Clipper chip? According to Dorothy Denning, the escrowed keys -- that is, the entire security of the basic scheme -- was generated by several applications of the Skipjack, the underlying block cipher -- see http://catless.ncl.ac.uk/Risks/14.52.html#subj1 for details. (Note: that statement was later disavowed. I'm not sure I believe the disavowal; it looked secure to me.) --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]