[cryptography] OneRNG kickstarter project looking for donations
jeffrey at goldmark.org
Mon Dec 15 20:11:17 EST 2014
On 2014-12-15, at 1:18 PM, ianG <iang at iang.org> wrote:
Although I’ve got some quibbles with the description, I was more than happy to back this.
Before I get to those quibbles, I will talk a bit out why I enthusiastically am backing this project.
I work for a company that makes a consumer-oriented password manager. We need to generate a number of cryptographic keys, and on OS X and Windows we rely on the CSPRNGs provided by those
OSes. (We do our own version of HKDF when generating master keys, but still are using the OSes CSPRNGs).
After BULLRUN, we took a look at all of the crypto that we use with an eye to whether there was a possibility of it having a backdoor or being deliberately weakened. The only primitives that we were using were AES and SHA-2, and so remained confident that neither the algorithms nor the implementations could be backdoored in a way that could remain undetected. (Because of how we use these, things like timing attacks and other side-channel attacks are not relevant.)
The exception, of course, is with the system CSPRNGs. It is just hard know that they are behaving as advertised. Perhaps when I ask for 16 random bytes, I’m only getting 64 bits of entropy. (Of course the system can’t be too biased without that being eventually detected).
Anyway, so I love the idea of having something like this. I can combine data from this sort of device with data from system’s CSPRNGs (possibly using HKDF or even a simple XOR) and be guaranteed something that is at least as strong as the strongest of the two. (I might have to look at what kinds of processes might be able to snoop on data retrieved from the USB device in userland.)
Now some minor quibbles of presentation.
> What we do know is that the NSA has corrupted some of the random number generators in the OpenSSL software we all use to access the internet,
To my knowledge it is only one PRNG, and while “one” can be considered “some” it is a bit misleading. But more importantly that one never actually got used on OpenSSL. It turns out that there was an implementation bug that rendered Dual_EC_DRBG completely unusable in OpenSSL. Because it was such a poor choice to use anyway, nobody even noticed this until people started to test it after the BULLRUN disclosures.
As far as anyone knows, it seems like only the users of RSA Inc’s BSafe crypto library where ever actually subject to the sabotage.
> and has paid some large crypto vendors millions of dollars to make their software less secure.
Again, we have the instance of the deal with RSA Inc to make Dual_EC_DBRG the default in BSafe. While there may be other such deals that we don’t know anything about, that is the one in which there is a smoking gun (and bloody hands, and finger prints). I find it deliciously ironic that many (most?) of RSA Inc.’s customers are those doing military contracting for the US.
I’m not at all trying to say, “well, it was just that once”. After all, what we’ve learned from this is what the NSA is willing to do to subvert cryptographic tools. And we know from BULLRUN about the existence of “working with our industry partners”, but we are left frustratingly blind as to what that actually means.
So I fully agree that what the BULLRUN revelations mean is that the government never actually surrendered at the end of the Crypto Wars. Instead they pretended to, but went on fighting underground.
> Some people say that they also intercept hardware during shipping to install spyware.
Although I believe that such intercepts and implants do happen, I react badly to “Some people say …” It’s the kind of phrase that at least in the US is followed by things “… Obama is plotting to outlaw Christianity”. “Some people say …” is use all to often to start rumors without ever being accountable.
I would replace “Some people say” in your notice with “There is reason to believe”. (There is reason to believe.)
Again, I am fully supportive of the goals and the reasons for this project. I just have quibbles about the text that I have probably gone on about too much.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3071 bytes
Desc: not available
More information about the cryptography