Am Mittwoch, 28. März 2018, 01:32:42 CEST schrieb Peter Gutmann: > Joachim Strömbergson <joachim.stromberg...@assured.se> writes: > >Note that we second entropy source based on avalanche noise in a PN > >junction. Designed by Fredrik Thulin. > > Is there a backup non-physical source in case the physical ones fail or are > persuaded to fail? If you look at the Capstone RNG, designed by guys who > really know about failure modes of crypto hardware, they also have a > CTR-mode PRNG driven from an internal seed, and an internal counter to > ensure that some state changes occur even if the dynamic > randomness-generation locks up. It's a really good belt-and-suspenders > design, the sort of thing I'd do if given the chance (I'm a big fan of > safety-oriented redundancy in security designs).
The design already is divided into an entropy source and a CSPRNG, which can continue to run even when the entropy source dries out. Things to discuss (or discussed on Twitter recently https://twitter.com/ BerndPaysan/status/976478349072707584, or here https://twitter.com/Kryptoblog/ status/976440866075238400 as another entry point) are: What can we do to improve the CSPRNG, e.g. use entropy expansion with key erasure instead of the key-preserving stream cipher we use now, or maybe save away gathered entropy in non-volatile memory and fetch it from there at the next startup so that even when the entropy sources fail, the seeds generated from them when they still were ok can be used to generate more randomness. Key erasure is a good thing for forward secrecy — you can't obtain a key and use it to go back in the stream by counting downwards and thus obtain old ephemeral keys or session keys. Entropy is also required for post-compromise security — if your physical entropy fails (a sign of compromise on its own), and you continue to work deterministic, the attacker might have obtained your seed, and can now generate the same randomness as you. So if you think about failure modes, also think about attack vectors. It is highly unlikely that you can continue to operate when your in-FPGA jitter-based entropy source fails. How could that happen? Someone must have modified your design (poorly, because a smart attacker would have replaced the non-deterministic internal entropy with a CSPRNG with attacker-known seed ;-). It's easier to understand why the reverse biased external diode fails to deliver randomness: Short circuit on the board by dust or migration wear by being operated in reverse breakdown mode for too long. External components have some harmless failure modes. But in any such failure mode, don't continue to operate without alarm. -- Bernd Paysan "If you want it done right, you have to do it yourself" net2o id: kQusJzA;7*?t=uy@X}1GWr!+0qqp_Cn176t4(dQ* http://bernd-paysan.de/
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Tech mailing list Tech@cryptech.is https://lists.cryptech.is/listinfo/tech
