Thor Lancelot Simon <tls rek.tjls.com> writes:
>Do you actually know of publically available
documentation on the design and
>implementation of *any* of these "noise
based" RNGs? I have spent some time
>looking, and I do not.
Someone from HiFn discussed an older HiFn design based on
ring oscillators
with postprocessing at the NIST RNG workshop in 2004,
http://c
src.nist.gov/CryptoToolkit/RNG.html. Newer designs are
apparently
more sophisticated than this, but the details aren't easily
available. I feel
reasonably confident in their design, they know what
they're doing.
>Broadcom makes no RNG documentation, much less analysis,
publically
>available.
Broadcom makes no documentation of any kind available.
Nothing to see here,
move along.
>I have not had time to investigate the situation
vis-a-vis VIA. I am told
>it's somewhat better, but I was told the Broadcom stuff
was trustworthy, too,
>and then I found out that the person who said so did not
really have
>documentation either!
Via's stuff is currently the best-documented and
best-analysed, and you know
what you're getting in the CPUs (you can read all the
status info out of
MSRs).
>If you're using their RNG without NDA documentation
that may or may not even
>exist, it's on a "trust us...really!"
basis.
Unfortunately the security techies are very much in the
minority here, for
99.99% of customers "trust us, really" is fine.
For the vendors it's just too
much work to prepare and clear technical documentation for
release when only a
handful of guys in an ivory tower somewhere will ever read
it. I've seen
documentation for one crypto device where it was obvious
that it was an
internal doc that had been hastily cleaned up for
publication because someone
somewhere had demanded it (some bits of the document had
been passed over in
the clearing process, their lawyers would have had a fit).
Asking for these sorts of docs reminds me of the situation
with the kernel
hackers who bug vendors for hardware technical data
("why on earth do you want
this information, we provide you with the drivers don't
we?"), but with an
even harder case to make to the crypto hardware vendors.
>These all add up to "vendors are doing things with
their 'noise-based' RNGs
>that should *really* scare you".
That's why I'd never trust a single source of entropy for
anything, but mix as
many sources as possible into a PRNG (safety through
redundancy). If you look
at the Skipjack RNG, the NSA seem to do the same thing,
there are multiple
sources and even if one fails completely it won't destroy
the usefulness of
the generator as a whole.
Peter.
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
|