[Gnuk-users] Security of NeuG?
NIIBE Yutaka
gniibe at fsij.org
Tue Feb 24 01:51:24 UTC 2015
On 02/19/2015 08:47 PM, NIIBE Yutaka wrote:
> The exact random bytes is not needed for host PC. If someone cares
> possible attack of wire tapping, I think that it would be OK just
> adding some filter.
>
> [SECRET]
> | /------\
> | | |
> V V |
> [USB Device] -- random byte --> <Secure Keyed Hash> --/
> |
> another random stream
> |
> V
> [KERNEL]
As dkg pointed out, this is as same as a CSPRNG seeded by USB device.
Only a difference is the ratio of amount of input / output .
For a TRNG structure, the ratio should be > 1.
In the NeuG standalone device, we also see the structure when we
enable "conditioning".
/------\
| |
V |
noise source ---> <Secure Hash>--/
|
V
USB Output
This time, we don't have SECRET, and it's non keyed hash.
As described in neug/README, we get two samples (from two channels) at
a time, and we put these two samples into CRC-32 filter, four times to
get a single 32-bit. Then, we put this 32-bit 35 times into secure
hash, to get 256-bit. So, we get 280 samples in order to get 256-bit.
2 * 4 * 35 = 280
samples times times samples
into CRC-32 into SHA256
I think that it's fair enough.
Furthermore, we also see the same structure in the kernel.
/------\
| |
V |
random byte ---> <Secure Hash>--/
from user space |
V
[USER SPACE applications]
If you want a safety factor, you can specify the option --rng-entropy
(-H for short) to rngd.
Besides, you can disable the built-in conditioning component of NeuG,
too.
--
More information about the gnuk-users
mailing list