Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets

tytso@mit.edu Sun, 16 March 2014 17:17 UTC

Return-Path: <tytso@thunk.org>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CB61A0301 for <dsfjdssdfsd@ietfa.amsl.com>; Sun, 16 Mar 2014 10:17:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.338
X-Spam-Level:
X-Spam-Status: No, score=-2.338 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4_S6sXAXpAS for <dsfjdssdfsd@ietfa.amsl.com>; Sun, 16 Mar 2014 10:17:30 -0700 (PDT)
Received: from imap.thunk.org (imap.thunk.org [IPv6:2600:3c02::f03c:91ff:fe96:be03]) by ietfa.amsl.com (Postfix) with ESMTP id 72A0C1A02F2 for <dsfjdssdfsd@ietf.org>; Sun, 16 Mar 2014 10:17:30 -0700 (PDT)
Received: from root (helo=closure.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.80) (envelope-from <tytso@thunk.org>) id 1WPEga-0007iD-Pj; Sun, 16 Mar 2014 17:17:20 +0000
Received: by closure.thunk.org (Postfix, from userid 15806) id 353875802B0; Sun, 16 Mar 2014 13:17:16 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=thunk.org; s=mail; t=1394990236; bh=o7tlg7yDjPHqY0/A88An7HmDh5+xe01xt0J3fW3ZGDM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Z33s+770PWrR2r86+R6Ac8r6MQ0481kW3+Ygj8GlPNZkVRSxhqFx88atoEX28pQIG yrl9wRzWvWBYe34qEA9rl04cOVunig4CJIT00/S2XSRWR5NsaVjKtVFpIcszFr8fWj MH7/379IdC5o4oUzmwnl5SwrGNpFDzapKcYNDUUM=
Date: Sun, 16 Mar 2014 13:17:16 -0400
From: tytso@mit.edu
To: Arnold Reinhold <agr@me.com>
Message-ID: <20140316171716.GD31988@thunk.org>
References: <531F6068.4080907@akr.io> <20140311195443.GD2190@thunk.org> <F3B65184-1544-48FA-8C20-52FEAC208D8A@me.com> <56491888.20140315165037@gmail.com> <DF42CACF-3AC7-4FA9-934C-18D4A0504FB9@me.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DF42CACF-3AC7-4FA9-934C-18D4A0504FB9@me.com>
User-Agent: Mutt/1.5.22 (2013-10-16)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Archived-At: http://mailarchive.ietf.org/arch/msg/dsfjdssdfsd/aZSzOEVOaDD1APfSm0zGHQ7yQHY
Cc: dsfjdssdfsd@ietf.org, =?iso-8859-1?Q?Kriszti=E1n_Pint=E9r_=3Cpinterkr=40gmail=2Ecom=3E?=@thunk.org
Subject: Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd/>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 17:17:32 -0000

On Sun, Mar 16, 2014 at 11:18:29AM -0400, Arnold Reinhold wrote:
> 
> And note that not all the issues I raised are software
> related. Tempest, for example, is a very tricky business. The NSA
> specs for Tempest protection are not publicly available, but I have
> been told they require tight physical configuration control, as even
> a single wire change can destroy Tempest protection.  Perhaps the
> best that can be achieved is to keep any attacker a safe distance
> from critical systems. A determined attacker might be willing to
> absorb the effort and risk to covertly penetrate physical security
> barriers if doing so will lead to a permanent compromise of a
> one-time-seeded PRNG, less so if the benefits will last only briefly
> as the PRNG reseeds after they leave.

One of the things which is not obvious is whether or not each
contributor has the same threat model in mind.  (In fact, it seems
pretty obvious to me that we don't all share the same threat model,
but I'm trying to be polite.  :-)

The sort of things that you might need to worry about if you are
trying to protect against pervasive monitoring are very different if
you are worried about a targetted attack.  If someone is willing to
bring in a listening truck and park it outside your house, or coverly
penetrate physical security, there is a whole host of things that you
would need to protect against before you are fully protected against
that level of attack.

In particular, who cares about how carefully constructed your RNG
might be if the attacker can replace it (along with perhaps your
entire networking stack, and the monitoring tools that might allow you
to notice that something strange has happened to your system)?  Or
just simply drop in some malware which leaks the session key after
your perfect RNG that meets with all of the academics' worries about
state compromise recovery....

						- Ted