Re: Quantum RNG (was: Use of TPM chip for RNG)

[Travis H.]

On 7/4/06, Taral <[EMAIL PROTECTED]> wrote:

On 7/4/06, Andrea Pasquinucci <[EMAIL PROTECTED]> wrote:
> About RNG, does someone in the list have any comment, ideas on this
> http://www.idquantique.com/products/quantis.htm

Why? Noise-based RNGs are just as random and just as "quantum". :)


Hella fast.  Most of the RNGs based on electrical noise are not
particularly pure -- some even use noisy diodes, which are decidedly
predictable.  Those that bother to isolate out one noise phenomenon or
another sacrifice speed, and the average consumer won't have the
technical background to judge them on anything else.  Sampling faster
gives more bits, but no more randomness.  Overall, you're going to be
limited by temperature with electrical noise phenomena.

On the other hand, the quantis device appears to be simple,
straightforward, and "clean".  But it's all sealed up in an opaque
container.  I asked them some questions about it and the person I was
speaking with didn't seem to understand why anyone would care about
what's in the module.

Note that they sell QC endpoints as well.  Very interesting company.
--
Resolve is what distinguishes a person who has failed from a failure.
Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Anne & Lynn Wheeler]

Peter Gutmann wrote:

Exactly.  The FIPS 140 (strictly speaking X9.17/X9.31 PRNG) tests test a
generator's determinism, not its nondeterminism.  In other word they generate
a set of input/output pairs from a known-good generator and then make sure
that the generator being certified produces the same output.  Actually getting
nondeterminism into the process is quite tricky, and involves extremely
careful and creative reinterpretation of the "DT vector" (date-and-time)
input.  The non-creatively-interpreted generator depends for its strength
entirely on the key chosen for the PRNG.  If it's constant across all devices,
it'll pass the certification but its strength will be close to zero.


i.e. you have to actually understand what is being tested; fips, common 
criteria, etc. there was a presentation a couple years ago on common 
criteria certification for the same EAL4 level ... supposedly something 
like 64 certifications had been done to the same protection profile ... 
but in the fine print, something like sixty (of the 64) evaluations had 
some sort of (unspecified) deviations ... so you didn't even know that 
two "things" evaluated to the same level with supposedly the same 
protection profile ... were in any way comparable (assuming you actually 
have access to protection profiles that being used for the evaluations).


i believe some of the earlier mention chips
http://www.garlic.com/~lynn/aadsm24.htm#19 Use of TPM chip for RNG?

had been FIPS140 evaluated ... even tho that the 64k power on/off tests 
followed by RNG were found to have something like 30percent of the 
values repeat of some previous generated value.


we started seriously looking at aads chip strawman
http://www.garlic.com/~lynn/x959.html#aads

around '98 ... in part, support x9.59 transactions ... and mandated both 
on-chip keygen as well as EC/DSA ... both operations requiring fairly 
high integrity RNG. However, at the time, I somewhat facetiously claimed 
that we were going to take a $500 milspec part, cost reduce it by better 
than two orders of magnitude and at the same time improving its 
security/integrity. In any case, significantly higher RNG assurance was 
requiren that what was normally found in most chips.


I made somewhat the same claim in an assurance panel at spring 2001 IDF 
in the TPM track ... somewhat chiding the TPM people in the audience.


Another aspect of evaluation certification was that a lot of chips were 
evaluated straight out of the fab ... based on the characteristic of the 
chip at that moment. after that the appications and crypto were loaded 
onto the chip (so even for chips that might have some RNG capability, 
since the applications that might expose any RNG characteristics weren't 
yet loaded ... RNG wasn't part of the chip evaluation).


What we ran into with aads chip strawman ... was that key-gen and ec/dsa 
was built into the manufactored chip as it came from the fab. As a 
result key-gen and ec/dsa became part of the chip evaluation ... and 
formal definition of same, limited the evaluation level. this was even 
tho that other uses of very similar chips were able to claim much higher 
certification levels (since they were able to certify prior to loading 
various crypto and RNG related applications ... aka there were 
significant differences in the protection profiles that the 
certifications were based on).


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Peter Gutmann]

Ben Laurie <[EMAIL PROTECTED]> writes:

>So ... where are these rebadged smartcards deployed? Who rebadges them?

System integrators usually.  The way it works is that the company that fabs
the devices (typically Atmel, STMicroelectronics, or Infineon) create the
silicon.  Then a second-level vendor (say, Gemplus) load their firmware into
the basic device and bond out the serial lines (ISO 7816) or USB lines (USB
key) and then it's a GemSAFE card or a USB token (OK, Gemplus don't do USB
tokens, but you know what I mean).  Some companies (e.g. Infineon) do both
steps themselves.

For the TPM, you bond out the LPC lines instead of the USB or serial ones, and
load TPM firmware instead of smart-card firmware.

I'm simplifying that somewhat in that there isn't one single device into which
you load one set of firmware and it's a TPM and another set of firmware and
it's a smart card.  Smart cards and TPMs are part of the same family of
devices, where you might have 20 variants on the same basic device with 18 of
the variants targeted for smart-card use and 2 targeted for TPM use.  Look at
Atmel's SecureAVRs for an example, there's a whole shopping-list of variations
on that (ROM/RAM/EEPROM/with or without bignum accelerator/etc), and some of
the shopping-list entries are targeted at TPM.  But under the hood the
97SCwhatever TPM is a 90SC-family SecureAVR with different firmware.  Same
with STM's ST19something smart card vs. ST19something-else TPM, and Infineon's
SLE66CX smart card vs. SLE66CX TPM - they're just smart cards with clever
marketing.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Peter Gutmann]

Thor Lancelot Simon <[EMAIL PROTECTED]> writes:
>On Mon, Jul 03, 2006 at 10:41:05AM -0600, Anne & Lynn Wheeler wrote:
>> however, at least some of the TPM chips have RNGs that have some level
>> of certification (although you might have to do some investigation to
>> find out what specific chip is being used for TPM).
>
>See one of the examples in my other message today in this thread (subject
>changed as an aid to new readers) for an example of why you should *not*
>trust such certifications as evidence that the RNG is any good.
>
>Summary: I have encountered one such RNG that was FIPS-140 certified as a
>Deterministic RNG but whose "hardware" inputs the vendor refused to disclose,
>which I find extremely suspicious.  It is possible to get a DRNG certified
>without careful analysis of what its input is; I have personally seen this
>happen and heard of more instances even after NIST gave specific guidance to
>the contrary.

Exactly.  The FIPS 140 (strictly speaking X9.17/X9.31 PRNG) tests test a
generator's determinism, not its nondeterminism.  In other word they generate
a set of input/output pairs from a known-good generator and then make sure
that the generator being certified produces the same output.  Actually getting
nondeterminism into the process is quite tricky, and involves extremely
careful and creative reinterpretation of the "DT vector" (date-and-time)
input.  The non-creatively-interpreted generator depends for its strength
entirely on the key chosen for the PRNG.  If it's constant across all devices,
it'll pass the certification but its strength will be close to zero.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Thor Lancelot Simon]

On Mon, Jul 03, 2006 at 10:41:05AM -0600, Anne & Lynn Wheeler wrote:
> 
> however, at least some of the TPM chips have RNGs that have some level 
> of certification (although you might have to do some investigation to 
> find out what specific chip is being used for TPM).

See one of the examples in my other message today in this thread (subject
changed as an aid to new readers) for an example of why you should *not*
trust such certifications as evidence that the RNG is any good.

Summary: I have encountered one such RNG that was FIPS-140 certified as
a Deterministic RNG but whose "hardware" inputs the vendor refused to
disclose, which I find extremely suspicious.  It is possible to get a
DRNG certified without careful analysis of what its input is; I have
personally seen this happen and heard of more instances even after NIST
gave specific guidance to the contrary.

-- 
  Thor Lancelot Simon[EMAIL PROTECTED]

  "We cannot usually in social life pursue a single value or a single moral
   aim, untroubled by the need to compromise with others."  - H.L.A. Hart

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Ben Laurie]

Peter Gutmann wrote:
> [EMAIL PROTECTED] ("Hal Finney") writes:
> 
>> A few weeks ago I asked for information on using the increasingly prevalent
>> built-in TPM chips in computers (especially laptops) as a random number
>> source.
> 
> You have to be pretty careful here.  Most of the TPM chips are just rebadged
> smart cards, and the RNGs on those are often rather dubious.  A standard
> technique is to repeatedly encrypt some stored seed with an onboard block
> cipher (e.g. DES) as your "RNG".  Beyond the obvious attacks (DES as a PRNG
> isn't particularly strong) there are the usual paranoia concerns (how do we
> know the manufacturer doesn't keep a log of the seed and key?) and stupidity
> concerns (all devices use the same hardwired key, which some manufacturers
> have done in the past).  There are also active attacks possible, e.g. request
> values from the device until the EEPROM locks up, after which you get constant
> "random" values.  Finally, some devices have badly-designed challenge-response
> protocols that give you an infinite amount of RNG output to analyse, as well
> as helping cycle the RNG to lockup.

Glad to see some new information in a thread that is otherwise giving me
a huge sense of deja vu. So ... where are these rebadged smartcards
deployed? Who rebadges them?

> 
> So the only hardware RNG I'd trust is one of the noise-based ones on full-
> scale crypto processors like the Broadcom or HiFn devices, or the Via x86's.
> There are some smart-card vendors who've tried to replicate this type of
> generator in a card form-factor device, but from what little technical info is
> available about generators on smart cards it seems to be mostly smoke and
> mirrors.
> 
> (As an extension of this, the lack of access to a TPM's RNG isn't really any
> great loss.  If it's there, you can mix it opportunistically into your own
> RNG, but I wouldn't rely on it).

+1.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Quantum RNG (was: Use of TPM chip for RNG)

[Taral]

On 7/4/06, Andrea Pasquinucci <[EMAIL PROTECTED]> wrote:

About RNG, does someone in the list have any comment, ideas on this

http://www.idquantique.com/products/quantis.htm


Why? Noise-based RNGs are just as random and just as "quantum". :)

--
Taral <[EMAIL PROTECTED]>
"You can't prove anything."
   -- Gödel's Incompetence Theorem

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[leichter_jerrold]

| On 7/3/06, Leichter, Jerry <[EMAIL PROTECTED]> wrote:
| > You're damned if you do and damned if you don't.  Would you want to use
a
| > hardware RNG that was *not* inside a tamper-proof package - i.e., inside
| > of a package that allows someone to tamper with it?
| 
| Yes.  If someone has physical access to your equipment, they could
| compromise it.  On the other hand, if you have access to it, you can
| establish a baseline and check it for changes.
This assumes an odd definition of "tamper-proof":  I can't look inside,
but the bad guys can change it without my knowing.  There are such
things around - all too many of them; your typical Windows PC, for
most people, is a great examplar of the class - but no  one describes
them as "tamper-proof".  "Tamper-proof" means that *no one* can change
the thing.  Obviously, this is a matter of degree, and "tamper-resistant"
is a much better description.  But there are devices considered
"tamper-resistent" against very well-funded, very technologically
adept adversaries.

|I recall the book
| titled "Computer Security" by Carroll suggested taking polaroids of
| all your equipment, and from each window, and other even more paranoid
| things
which is yet another issue, that of tamper-evident design.  If your
design isn't tamper-evident - which again is a matter of degree -
it's unlikely your pictures will do you much good against even a
moderately sophisticated attacker.  With physical access and no
tamper evidence, a couple of minutes with a USB stick is all that's
necessary to insert some rather nasty code, which you have little
hope of detecting, whether by physical or software means.

-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Anne & Lynn Wheeler]

Travis H. wrote:
http://www.usenix.org/publications/library/proceedings/smartcard99/technical.html 


http://www.usenix.org/publications/library/proceedings/cardis02/tech.html


and even this ... having to resort to the wayback machine
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

includes mention of "yes card" attack (end of last paragraph). however, 
the "yes card" attack is really an attack on the terminals (and the 
infrastructure implementation) ... not on cards. a few posts discussing 
"yes card"


http://www.garlic.com/~lynn/aadsm24.htm#1 UK Detects Chip-AND-Pin 
Security Flaw

http://www.garlic.com/~lynn/aadsm24.htm#14 Naked Payments IV

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Quantum RNG (was: Use of TPM chip for RNG)

[Andrea Pasquinucci]

About RNG, does someone in the list have any comment, ideas on this

http://www.idquantique.com/products/quantis.htm

"Quantis is a physical random number generator exploiting an elementary 
quantum optics process. Photons - light particles - are sent one by one 
onto a semi-transparent mirror and detected. The exclusive events 
(reflection - transmission) are associated to "0" - "1" bit values."

Just curious of your opinion.

Andrea
 
--
Andrea Pasquinucci [EMAIL PROTECTED]
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Travis H.]

On 7/2/06, Peter Gutmann <[EMAIL PROTECTED]> wrote:

You have to be pretty careful here.  Most of the TPM chips are just rebadged
smart cards, and the RNGs on those are often rather dubious.


My last email of the day, I promise ;-)

And if you're interested in some of the smart card developments, you
might want to check out these proceedings:

http://www.usenix.org/publications/library/proceedings/smartcard99/technical.html
http://www.usenix.org/publications/library/proceedings/cardis02/tech.html
--
Resolve is what distinguishes a person who has failed from a failure.
Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Travis H.]

On 7/3/06, Leichter, Jerry <[EMAIL PROTECTED]> wrote:

You're damned if you do and damned if you don't.  Would you want to use a
hardware RNG that was *not* inside a tamper-proof package - i.e., inside
of a package that allows someone to tamper with it?


Yes.  If someone has physical access to your equipment, they could
compromise it.  On the other hand, if you have access to it, you can
establish a baseline and check it for changes.  I recall the book
titled "Computer Security" by Carroll suggested taking polaroids of
all your equipment, and from each window, and other even more paranoid
things.  As a non-sequitur, in the first edition, he had the following
wonderful quote on the dust jacket:

``Computer crime has become the "glamor crime" of the 1970s...''

Perhaps he was a bit ahead of his time.


A "spiked" RNG of the kind you describe is at least somewhat fixable:
Choose a fixed secret key and encrypt the output of the generator with
the key before using it
... nor do you have to fix it for good.)


Were you to periodically take the output of the generator and use it
as a new key, you would have something remarkably similar to the
fortuna and yarrow PRNGs.  If you don't do something like that, you
have cycle lengths equal to your input's cycle length, which for the
designs we've been discussing, is fixed, so pretty easy to distinguish
from random (assuming you have access to enough output).
--
Resolve is what distinguishes a person who has failed from a failure.
Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Anne & Lynn Wheeler]

Peter Gutmann wrote:

You have to be pretty careful here.  Most of the TPM chips are just rebadged
smart cards, and the RNGs on those are often rather dubious.  A standard
technique is to repeatedly encrypt some stored seed with an onboard block
cipher (e.g. DES) as your "RNG".  Beyond the obvious attacks (DES as a PRNG
isn't particularly strong) there are the usual paranoia concerns (how do we
know the manufacturer doesn't keep a log of the seed and key?) and stupidity
concerns (all devices use the same hardwired key, which some manufacturers
have done in the past).  There are also active attacks possible, e.g. request
values from the device until the EEPROM locks up, after which you get constant
"random" values.  Finally, some devices have badly-designed challenge-response
protocols that give you an infinite amount of RNG output to analyse, as well
as helping cycle the RNG to lockup.


One of the issues for a long time for that class of chips is whether 
on-chip key-gen and/or supported DSA (and/or ECDSA) were in use ... 
processes where reasonable good RNG are integral to the operation.


at one point there was tests for a collection of chips in that class 
that perform 65k power-cycle/RNG operations and found that something 
like 30 percent of the numbers were repeated.


however, at least some of the TPM chips have RNGs that have some level 
of certification (although you might have to do some investigation to 
find out what specific chip is being used for TPM).


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Leichter, Jerry]

| > A few weeks ago I asked for information on using the increasingly
| > prevalent built-in TPM chips in computers (especially laptops) as a
| > random number source.  I got some good advice and want to summarize the
| > information for the benefit of others.
| 
| Thanks for the useful summary!  For the sake of completeness, let me also add
| that RNGs in tamper-proof hardware are potentially rather controversial, since
| there are several known ways to produce output which looks very random to
| anyone who doesn't know some secret, but allows those who do to predict what
| future outputs will be.  I believe one straightforward way to do this would be
| to simply use a symmetric encryption function outputting "random" data blocks
| 
| r_i=Encrypt(key, r_(i-1))
| 
| If you don't know the secret key, the output will look at least somewhat
| random, but if you do, you can use any block to predict all subsequent and
| prior ones.  (This topic has been discussed in the literature, and my
| off-the-cuff example may not be particularly strong.)
Your example would, in fact, be as strong as any.  It's generally
considered a significant - often disqualifying - fault of a modern
cryptosystem if its output can be distinguished from that of a random
function.  Feeding the input back is a common method for testing for
such non-randomness, since the expected cycle length for random
functions can be calculated and many older cryptographic functions
showed weaknesses here.

| I believe it's a fair summary to say that hardware RNG is a neat and useful
| feature, but may be unsuitable for the sufficiently paranoid when it comes in
| a tamper-proof package.
You're damned if you do and damned if you don't.  Would you want to use a
hardware RNG that was *not* inside a tamper-proof package - i.e., inside
of a package that allows someone to tamper with it?

A "spiked" RNG of the kind you describe is at least somewhat fixable:
Choose a fixed secret key and encrypt the output of the generator with
the key before using it.  Assuming the cryptographic function you use is
good - and in the end you're almost certain to make that assumption
somewhere - the resulting bits can be treated as random.  (Note that you
don't ever have to share that key with anyone, nor do you have to fix it
for good.)  (And, yes, on a theoretical level, there is only one block's
worth of entropy in such a generator, so it's not so good.  Assuming the
same crypto algorithm throughout, one way or another, the best you can
get is the difficulty of a brute-force attack on the smaller of a key or
a block.  For repeated uses, an attack on the generator, of course,
may give you access to much more than one key.)

As has been discussed here previously, there are other ways to "spike"
hardware, including an RNG, that are much more insidious.  An RNG that
only covers a small fraction of the possible outputs is one possibility.
For example, r_i = Encrypt(key,i mod 2^32) will look quite random unless
you get more than 2^32 samples, but there's a trivial brute-force attack
against the output - which works just as well against the "encrypt before
using" fix.
-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Peter Gutmann]

[EMAIL PROTECTED] ("Hal Finney") writes:

>A few weeks ago I asked for information on using the increasingly prevalent
>built-in TPM chips in computers (especially laptops) as a random number
>source.

You have to be pretty careful here.  Most of the TPM chips are just rebadged
smart cards, and the RNGs on those are often rather dubious.  A standard
technique is to repeatedly encrypt some stored seed with an onboard block
cipher (e.g. DES) as your "RNG".  Beyond the obvious attacks (DES as a PRNG
isn't particularly strong) there are the usual paranoia concerns (how do we
know the manufacturer doesn't keep a log of the seed and key?) and stupidity
concerns (all devices use the same hardwired key, which some manufacturers
have done in the past).  There are also active attacks possible, e.g. request
values from the device until the EEPROM locks up, after which you get constant
"random" values.  Finally, some devices have badly-designed challenge-response
protocols that give you an infinite amount of RNG output to analyse, as well
as helping cycle the RNG to lockup.

So the only hardware RNG I'd trust is one of the noise-based ones on full-
scale crypto processors like the Broadcom or HiFn devices, or the Via x86's.
There are some smart-card vendors who've tried to replicate this type of
generator in a card form-factor device, but from what little technical info is
available about generators on smart cards it seems to be mostly smoke and
mirrors.

(As an extension of this, the lack of access to a TPM's RNG isn't really any
great loss.  If it's there, you can mix it opportunistically into your own
RNG, but I wouldn't rely on it).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

[Jason Holt]

On Thu, 29 Jun 2006, "Hal Finney" wrote:


A few weeks ago I asked for information on using the increasingly
prevalent built-in TPM chips in computers (especially laptops) as a
random number source.  I got some good advice and want to summarize the
information for the benefit of others.


Thanks for the useful summary!  For the sake of completeness, let me also add 
that RNGs in tamper-proof hardware are potentially rather controversial, since 
there are several known ways to produce output which looks very random to 
anyone who doesn't know some secret, but allows those who do to predict what 
future outputs will be.  I believe one straightforward way to do this would be 
to simply use a symmetric encryption function outputting "random" data blocks


r_i=Encrypt(key, r_(i-1))

If you don't know the secret key, the output will look at least somewhat 
random, but if you do, you can use any block to predict all subsequent and 
prior ones.  (This topic has been discussed in the literature, and my 
off-the-cuff example may not be particularly strong.)


I believe it's a fair summary to say that hardware RNG is a neat and useful 
feature, but may be unsuitable for the sufficiently paranoid when it comes in 
a tamper-proof package.


-J

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Use of TPM chip for RNG?

["Hal Finney"]

A few weeks ago I asked for information on using the increasingly
prevalent built-in TPM chips in computers (especially laptops) as a
random number source.  I got some good advice and want to summarize the
information for the benefit of others.

The TPM chip as spec'd by the Trusted Computing Group
(www.trustedcomputinggroup.org) is a complex and controversial device.
Despite (or perhaps because of) all the fuss over it when the technology
was introduced, nothing much has happened with it and they are mostly
used to add a bit of security to encrypted files and such.  TPMs do have
hardware RNGs and I wanted to find out how to access this capability.

On Windows, there are several APIs available which can work.
The "native" API for the TPM is the Trusted Software Stack (TSS).
https://www.trustedcomputinggroup.org/groups/software/ This provides a
wide range of TPM-specific functions, including ones to access the RNG.
Another alternative is Microsoft's Crypto API (MS-CAPI).  CAPI uses a
plug-in architecture where Crypto Service Providers (CSPs) provide the
required functionality.  TPM-based CSPs allow access to TPM functions
via CAPI.  Third, the PKCS-11 (Cryptoki) API is designed for access
to smart cards, but TPM manufacturers often deliver PKCS-11 compatible
libraries for access to the chips.  Both CAPI and PKCS-11 have random
number functionality which can be used to access the TPM RNG.

The main problem in practice with using this functionality on Windows is
that there is as yet no standard for naming or locating the DLL's which
supply the necessary functions.  I am testing on an IBM Thinkpad with
an Atmel TPM, and it comes with DLL's that provide TSS, CAPI and PKCS-11
interfaces.  But all are supplied with non-standard names and located in
non-standard places.  Software to use these functions has to know where
the DLLs are and what they are called in order to load them explicitly.

The exception is MS-CAPI.  CAPI provides an interface to enumerate all
the CSPs, so if you can figure out which one is the TPM CSP you can then
use that one to generate random numbers.  One of the CAPI functions lets
you query to see if the CSP has hardware RNG support.  On my system,
this returns TRUE for the TPM CSP.  However, a colleague has a Dell
system with a different TPM and different software, and that TPM's CSP
does not set this bit.  So I don't have a foolproof method of figuring
out which CSP to use in order to access the TPM.  It might be possible
to hard-code the names of all known TPM CSPs but that would not be very
flexible going forward.

At this point MS-CAPI still looks like the best choice for
machine-independent access to the TPM RNG on Windows.  The ability to
reliably enumerate all the CSPs is much easier than hunting through the
disk to try to find a DLL to implement the TSS or PKCS-11 APIs.  OTOH if
you are building the software for a particular system and can build in
the location of the necessary DLL, one of the other APIs could work too.

On Linux systems, as I mentioned earlier, the standard appears
to be an open-source TSS implementation called Trousers, at
http://trousers.sourceforge.net .  This requires the Linux kernel to
have a TPM device driver built-in or as a loadable module.  This has
been available in the kernel since 2.6.12, but many distributions do
not enable it, even as a module, so some work is needed to make a kernel
with TPM support.  Then the Trousers software builds a daemon process,
tcsd, which opens /dev/tpm exclusively, and a library, libtspi, for
remote access to tcsd and the TPM.

If you want a cross-platform solution, TSS is probably the best approach
going forward.  As noted, at present the software support is a little
immature and some local configuration will be necessary - locating the
TSS DLL on Windows, and installing the TPM kernel support and Trousers
software on Linux.  Once this is done, the TSS API should provide for
cross-platform capability.  And of course it has additional functionality
if you want to use the TPM for more than just random number generation.

Intel Macs have TPM chips as well but I don't know of any software yet
that can access them.  Eventually I would expect a TSS solution to be
available on that platform as well.

Thanks again to the people who provided me information about these
various solutions!

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Use of TPM chip for RNG?

["Hal Finney"]

Finding a good source of random bits is a frequent problem in
cryptographic applications.  Recently many computers have begun shipping
with a TPM chip, which among other things includes a hardware RNG.
Does anyone know of Windows software which can use the TPM for this
purpose?  Perhaps via MS CAPI, or some other API?

On Linux, the "Trousers" library, http://trousers.sourceforge.net/,
provides access to TPM functions including RNG.  Basically I'm looking
for something similar for Windows.

Given all the questions about trusted computing technology, it would be
nice to get some straightforward operational benefit from all those TPM
chips being installed.  I'll be happy to summarize results back to the
list if people want to contact me privately.

Thanks -

Hal Finney
[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]