RNG: is it possible to spoil /dev/random by seeding it from (evil) TRNGs (was: howto secure older keys after the recent attacks)
dan at geer.org
dan at geer.org
Tue Oct 9 13:58:35 CEST 2012
I consulted a non-list-reading colleague who knows
rather a lot about randomness. He writes:
> here's my reply; i dunno whether it counts
> as an example of evil per se:
>
> the bigger problem with manufactured
> entropy sources is that rigorous unit testing
> at the factory usually is just impossible.
> it just takes too long to gather a few hours
> of bits from every unit, then do the exhaustive
> statistical testing, again for every unit.
>
> indeed, it seems likely to me that when
> a CPU vendor sells CPU chips with integrated
> TRNG circuits, some of the chips will surely
> come off the fabrication line with defective
> TRNGs, just as some CPU chips get made with
> defective ALUs, memory, etc. the bad logic
> circuits get caught by exhaustive pre-ship
> testing, and those chips don't get sold. but
> given that rigorous testing of the TRNG circuit
> is so expensive, it's my guess that the CPU
> vendor surely must just unwittingly ship the
> CPUs that happen to have obscurely bad TRNGs.
--dan
More information about the Gnupg-users
mailing list