 |  | |
| | |
| | |
 |
|  |
 | |||
 | Home | ||
| New Users | ||
| Articles | ||
| Download | ||
| Projects | ||
| Community | ||
| Vendors | ||
 | |||
  | |||
|
Recent News | |||
OT: TRNG vs PRNG (was Re: [ILUG] serious Debian/Ubuntu security hole found)Ivan Griffin ivan at skynet.ieFri May 16 15:40:00 IST 2008
Actually, a useful discussion on this topic is available at http://en.wikipedia.org/wiki/Hardware_random_number_generator On Fri, 16 May 2008, Ivan Griffin wrote: > > This discussion is interesting, but probably going completely off topic. In > way of apology for continuing it, I've changed the subject line slightly. > > > However, I think it is worth pointing out that in the semiconductor industry, > the state-of-the-art in consumer electronics crypto probably is considered to > be the use a "true" RNG (TRNG) constructed from some hardware process (pair > of ring oscillators, etc) as an initial seed, feeding into a well > characterised encryption engine. There are other aspects, such as ensuring > the keys are not visible to software directly, but only to a hardware crypto > offload engine. > > PRNGs are not considered best practice. This isn't my personal opinion - it > is a viewpoint that is strongly enforced by many of the industry incumbants > when licensing, for instance, their DRM specifications. I work for a company > that has recently included an analog TRNG macro into our new chip design > specifically for this specific purpose. > > Quoting John von Neumann, "Anyone who considers arithmetical methods of > producing random digits is, of course, in a state of sin." > > > In Applied Cryptography, the crypto bible by Bruce Schneier, the requirements > for a RNG are defined as: > * the output appears to be random (i.e. passes all statistical approximation > tests of randomness that can be found, auto-correlation, cross-correlation > etc); > * it must be computational infeasible to predict next random bit; > * it cannot be reliably reproduced - given same inputs, the generator should > generate two complete unrelated and random sequences. > > Depending on the use of the RNG, it may satisfy one or more of these > requirements. PRNGs are usually considered only to satisfy Schneier's first > requirement, whereas good HW-based TRNGs are considered capable of satisfying > all three. Their output does not depend on any previously produced bits, > unless the deterministic behaviour of the PRNG. > > There are many techniques for TRNGs: > * electrical noise (e.g. Johnson noise, Shot Noise, Flicker noise - all of > which have had their noise distributions characterised.) > * Quantum properties of Photons (quantum theory predicts the choice of path > by a photon is truly random) > * Radioactivity - unstable isotope decay > > As a consequence, I don't think it is fair to state that theoretical > mathematical functions which appear pseudo random are better understood than > the quantum effects which generate noise. > > I also don't think it is correct to say that there are no tests available for > randomness. There are many tests that attempt to determine randomness through > pattern identification - for example, NIST have their "Statistical Test Suite > for Random and Pseudorandom Number Generators for Cryptographic > Applications", the Chi-squared test is useful, as is the DIEHARD test suite. > Obviously, entrophy estimation is theoretically impossible, but it is > possible to get a feeling for random failures in certain limited runs with > appropriate assumptions. > > One of the properties of a good encryption engine is that small changes in > the input are reflected in disproportionate changes in the output - i.e it > has good spread across the output space. AES/Rijndael is an example of a good > crypto algorithm where a sequentially incrementing counter will generate very > good output. Using the TRNG input as an initial seed, coupled with other > mechanisms for gathering entropy, into such a crypto block will generate you > a pretty unique sequence of keys. > > I think this is well summarised in a presentation by Laszlo Hars ("Random > Topics" - http://www.hars.us/Papers/RandomTopics-SummerCon.ppt) : > "Do Random Numbers exist? Mathematically: yes ... but no algorithm generates > them ... Physically: maybe" > > Best Regards, > Ivan > > On Fri, 16 May 2008, Timothy Murphy wrote: > >> On Thursday 15 May 2008 02:40:10 pm paul at clubi.ie wrote: >> >>> If we can't determine randonmess, why should trust the output of a >>> man-made algorithm that /seems/ random over measurements of physical >>> processes that we apparently have good reason to believe /are/ >>> random?** >> >> Because we know far more about mathematical functions >> than we do about the physical processes you are talking about. >> >> Take the time distribution of emissions from radioactive material, >> which is often taken as a model of a random process. >> >> There are any number of reasons why this might not in fact be random, >> eg the measuring apparatus might be defective, >> there may be cosmic ray emissions from a completely different source, >> the rate of emission may not be independent of the temperature, >> the direction of the magnetic field may affect the result, >> etc, etc. >> >> >> >> -- >> Timothy Murphy >> e-mail: gayleard /at/ eircom.net >> tel: +353-86-2336090, +353-1-2842366 >> s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland >> -- >> Irish Linux Users' Group mailing list >> About this list : http://mail.linux.ie/mailman/listinfo/ilug >> Who we are : http://www.linux.ie/ >> Where we are : http://www.linux.ie/map/ >> >> > -- > Irish Linux Users' Group mailing list > About this list : http://mail.linux.ie/mailman/listinfo/ilug > Who we are : http://www.linux.ie/ > Where we are : http://www.linux.ie/map/ > >
More information about the ILUG mailing list Read this without the formatting. |
