IETF Logo Mail Archive

Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets

Dan Brown <dbrown@certicom.com> Tue, 11 March 2014 19:48 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 172541A07D4 for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 11 Mar 2014 12:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jhKsm7oRovKy for <dsfjdssdfsd@ietfa.amsl.com>; Tue, 11 Mar 2014 12:48:36 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id 7D4BF1A07D8 for <dsfjdssdfsd@ietf.org>; Tue, 11 Mar 2014 12:48:32 -0700 (PDT)
Received: from xct102cnc.rim.net ([10.65.161.202]) by mhs214cnc.rim.net with ESMTP/TLS/AES128-SHA; 11 Mar 2014 15:48:25 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT102CNC.rim.net ([fe80::2066:5d4f:8c45:af55%17]) with mapi id 14.03.0174.001; Tue, 11 Mar 2014 15:48:24 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'akr@akr.io'" <akr@akr.io>, "'dsfjdssdfsd@ietf.org'" <dsfjdssdfsd@ietf.org>
Thread-Topic: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets
Thread-Index: AQHPPV5IJGLa+MVjDkCv/yPQoN7tTZrcSQPg
Date: Tue, 11 Mar 2014 19:48:24 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5C5527C@XMB116CNC.rim.net>
References: <531F6068.4080907@akr.io>
In-Reply-To: <531F6068.4080907@akr.io>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.249]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/2vTQgfQ-i_yAYtSuKQeFaI68310
Subject: Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 19:48:40 -0000

The ANSI/NIST standards already require seeding with entropy equal to the security level before generating any outputs: i.e. your setup state A (minus the high-cost hash functions).  Also, aren't some linux RNGs blocking, isn't that a similar idea.  Maybe I should read the blog.

Anyway, it may well be true that many RNG implementations do not operate this way.  That's a problem, and they wouldn't be compliant to the latest ANSI/NIST specs.

On the research side, Barak and Halevi describe an algorithm with good and bad states, if I recall correctly, in an effort to model malicious seeds (with adequate entropy).

> -----Original Message-----
> From: dsfjdssdfsd [mailto:dsfjdssdfsd-bounces@ietf.org] On Behalf Of Alyssa
> Rowan
> Sent: Tuesday, March 11, 2014 3:14 PM
> To: dsfjdssdfsd@ietf.org
> Subject: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> djb posted a blog <http://blog.cr.yp.to/20140205-entropy.html> last month
> which presents some interesting viewpoints on RNG design, examining a
> hypothetical¹ scenario in which a malicious entropy source to an otherwise good
> RNG can cause the sorts of havoc an attacker dreams of.
> 
> It advocates that instead of the common
> continuous-entropy-pool-injection designs we see today, a better approach
> might be to make RNGs with a sharp transition between two
> states:-
> 
> A. An entropy-gathering 'setup' state, collecting enough entropy for
>    one really good 256-bit key, reading more-trusted entropy sources
>    after less-trusted ones and using a high-cost hash function (to
>    really increase the work a malicious entropy source would have to
>    do); and then,
> 
> B. A 'running' state, which uses that key, holds it securely, and runs
>    a good deterministic random bit generator to generate as much
>    randomness as we need [up to some limit].
> 
> Specifically, djb advocates running A -then- run B (presumably, up to some
> defined limit, as no DRBG is sound _ad infinitum_, then we'd have to block and
> go back to A to gather another key?).
> 
> This is the exact opposite of what we usually do today, which would be to run A
> continuously in parallel (possibly in many pools) and using B in limited quantities
> to extract randomness from the running pool/s if and when we need it.
> 
> I think that's a fascinating concept: although it runs counter to usual existing
> practice, it does so specifically to minimise the opportunity an attacker has to
> manipulate the RNG state. (One wonders about the effect that might have on
> the window for an attacker to observe the RNG state, although this _might_ be
> more defensible as once in state B, it doesn't seem to provide them with an in-
> band path to then exfiltrating it? Out-of-band exfiltration could be a problem no
> matter which way you sliced it, although if it occurred, it would be a live
> problem for longer, until the next re-key.)
> 
> It relies entirely on the DRBG to be strong for our external prediction resistance.
> While this has potential pitfalls, it also has potential benefits. After all, the DRBG
> is the deterministic element of an RNG: the testable, easily-verifiable part (at
> least, compared to the entropy sources). We already know several approaches
> that'll probably work well (e.g. HMAC_DRBG; CTR_DRBG; a strong stream cipher
> like ChaCha20 with a monotonically-increasing counter, maybe?) as well as, of
> course, ones which infamously won't work out so well (e.g.
> Dual_EC_DRBG).
> 
> I'm not completely sure if this type of "discrete-setup" RNG is a good balance,
> but it's certainly an interesting one about which others may have some
> thoughts...?
> 
> ___
> 1. *Currently* hypothetical, but alarmingly possible for a sufficiently-
>    determined attacker with a penchant for malicious microcode - and we
>    know sufficiently-determined and funded attackers exist, and like
>    weak RNGs. Maybe we could even see a PoC someday?
> 
> - --
> /akr
> -----BEGIN PGP SIGNATURE-----
> 
> iQIcBAEBCgAGBQJTH2BoAAoJEOyEjtkWi2t6hE4P/3SmC3EDQvLbIUHxahpWj7j7
> hd94kNr4IfByMKqwk7zMw6pW1qFsdrKvbFp7ZwEC/ZglbUptZ1taQyVDMX/ii9ZD
> z7lbGDwWJN6XtLR5hn6sU5m1wkUdCHJ6FeQKgMH7sLu9tRilG6XekuYVu7bcpluQ
> FJpt5MbgPjRAz43uDCO9FQrEfI0IljIIlmdmJWIAREvvaJfXwV/RnBf2mrTMUTFm
> I+tyvaJn7TLc3w3L0tU+7MbRghq8UP611qeeTjpsn3HUjY6xUvSaKzeGL4J6xV3U
> tq8kVc6sWCe85W8OcV2yXi7fYYAuxbxSPops83mRb2YH0Ks8Pk68o3PCvty79YpS
> NeSM/jiYe0GGr3mtEXsIeYirVSdLxJuEP0lUxqSHABgHS8MsxrHQOgcR//s0V/B5
> GiBwvE3xE2tf55WgGomPhs2Kqmpa6nsagwrkY6YLk5W+bV12WiCIM447DKzu86
> mg
> O4n6DrQ7h8MMwSIt2qb90Cye48IncuXczJWIVJK3ZO6TMBR1JemwSM1WP35GU
> tH9
> QdOAKPr+zWEwAangT8ztx05XrPAq5cxzclX9ykrF43HQhizjicX9KgcsGSR3GAYe
> 1b3Y9IbLQc6xMWg0iOjs6Yoo3ngiF4Z8Z75n8lbl3/PoolywGRGj3unpyvSQ4qVM
> ByE6GO0YsjeIbrMo/tNs
> =PuzB
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> dsfjdssdfsd mailing list
> dsfjdssdfsd@ietf.org
> https://www.ietf.org/mailman/listinfo/dsfjdssdfsd

v2.23.0 | Report a Bug | By Email