[openssl-dev] DRBG entropy

John Denker ssx at av8n.com
Fri Jul 29 17:48:03 UTC 2016 

In the context of:

>> I have a chip (FDK RPG100) that generates randomness, but the
>> SP800-90B python test suite indicated that the chip only provides
>> 2.35 bits/byte of entropy

On 07/28/2016 09:08 AM, I wrote:

> That means the chip design is broken in ways that the manufacturer
> does not understand.  The mfgr data indicates it "should" be much
> better than that:
>   http://www.fdk.com/cyber-e/pdf/HM-RAE103.pdf

To be scientific, we must consider all the relevant hypotheses.

1) For starters, let's consider the possibility that the python
 test suite is broken.  Apply the test suite to a sufficiently
 random stream. 
  -- An encrypted counter should be good enough.
  -- /dev/urandom is not a paragon of virtue, but it should be
    good enough for this limited purpose.

1a) If the test suite reports a low randomness for the truly random
 stream, then the test is broken.  Find a better test suite and
 start over from Square One.

1b) If the test suite reports a high randomness for the random stream
 but a low randomness for the chip, the chip is broken and cannot be
 trusted for any serious purpose.
  -- You could derate it by another factor of 10 (down to 0.2
   bits per byte) and I still wouldn't trust it.  A stopped
   clock tells the correct time twice a day, but even so, you
   should not use it for seeding your PRNG.
  -- It must be emphasized yet again that for security you
   need a lower bound on the randomness of the source.
   Testing cannot provide this.  A good test provides an upper
   bound.  A bad test tells you nothing.  In any case, testing
   does not provide what you need.  Insofar as the chip passes
   some tests but not others, that should be sufficient to prove
   and illustrate the point.

 Seriously, if the FIPS lab accepts the broken chip for any
 purpose, with or without software postprocesing, then you
 have *two* problems:  A chip that cannot be trusted and a
 lab that cannot be trusted.


2a) We must consider the possibility that the bare chip 
 hardware is OK, but there is a board-level fault, e.g.
 wrong voltage, wrong readout timing, or whatever.

2b) Similarly there is the possibility that the bare chip
 hardware is OK but the data is being mishandled by the
 system-level driver software.  This should be relatively
 easy to fix.

===========

It must be emphasized yet again the entropy (p log 1/p) is
probably not the thing you care about anyway.  If the entropy
density is high (nearly 8 bits per byte) *and* you understand
why it is not higher, you may be able to calculate something
you can trust ... but let's not get ahead of ourselves.

More information about the openssl-dev mailing list