Briefly, there are a few broad classes of TRNGs, enumerated in the following table. Enranda belongs to the "ultrahard" category.
Class
|
Typical Embodiment
|
Typical Vulns
|
Broken
| A physical system which produces biased bits and outputs them directly as entropy, or perhaps a PRNG implemented in hardware and sold as a TRNG. | The TRNG itself may be hardened, but it doesn't matter because its output is already biased. |
| Trust-Me-TRNG | CPU "black magic" randomness register, open-source USB device, or a device which measures a nonlinear physical phenomenon (e.g. cosmic microwave background). | Hardware poisoning on the manufacturing floor. Furthermore, the hardware cannot be virtualized (or aliased to alternative hardware) so as to preempt poisoning. Output poisoning in the path connecting the physical randomness source to the output entropy. |
| Quasiquantum | Comes in a box with a "quantum" sticker on the side. Or perhaps this takes the form of an app which simply extracts quantum noise from the quantum dots that comprise your camera array (CCD). In any event, it claims to produce true random numbers from the fundamental uncertainty of the universe, which is certainly within the realm of what is physically possible. | "It looks quantum to me" does not mean that it is not merely a simulation thereof. Even if we trust the manufacturer, qubits are easily biased by all manner of interference, some of which might be predictable (or worse, inducible) by an attacker within physical proximity. For example, is the quantum dot CCD noise dependent upon lighting conditions? Can the pixel data be read via device emissions as it traverses the IO bus to the CPU? What happens if the camera has hot pixels, which are stuck in a particular configuration? Does that make the output occasionally predictable? Do we really want our cameras turning on at just the moment we need cryptographically hard randomness to protect our privacy anyway? How can this app be trusted to dispose of the captured image frame, rather than send it to some database on the Internet? |
| Ultrahard | Statistically indistinct from an ideal TRNG by every computable metric. Coldboot attack is futile. Completely open-source code with minimal dependency on hardware which may be entirely virtualized in such a manner that the implementer has full control over which. Cannot be defeated other than by subverting the machine and taking control of its outputs via (possibly nested) virtualization (which even then, would be immensely difficult and sometimes detectable); at which point, there is no reason to care about the TRNG because the machine is rooted and exposed to complete exploitation. Obtaining an exact copy of the machine would be completely useless for the purposes of predicting the output, even if the attacker had a quantum computer of planetary dimensions. In other words, forget it. | The only material vuln here, apart from a lazy security guard who left the door open to the server room, would be a bug in the implementation. For its part, Enranda has been carefully combed for such bugs. Nonetheless bug reports are highly encouraged from the security community, especially when they create security vulns. If you can demonstrate weaknesses in Enranda without subverting the OS, we will regard you as a hero, not a criminal! |
| Ideal | A theoretical unbiased source of bits. | None. |
No comments:
Post a Comment