On 2/17/2012 10:16 PM, Wim Lewis wrote:
On Feb 16, 2012, at 9:22 AM, Kenneth Goldman wrote:
Many laptops and desktops and some servers now come with a TPM chip,
a free source of hardware random numbers.
Even aside from TPM or other HSMs, hardware random number generators have been
a common feature of PC motherboard chipsets for a decade or so. I assume,
perhaps optimistically, that the /dev/?random devices that modern OSs provide
make use of these RNGs as well as other system entropy sources (interrupt
timing and so on).
Unfortunately not!
Intel made a big splash when they put a hardware RNG in
one of the flash EEPROM chip models for storing the BIOS,
then silently omitted the feature from all later models
and even some chips of the same model (!).
Later various other motherboard chip makers have been
adding and removing this feature from various chip
models at various time.
Thus only a somewhat small minority of PC motherboards
from the last 10 years actually have the feature, and a
specific driver is needed for each family of hardware
implementations within that minority.
As for the standard /dev/random devices and motherboards
with this feature, the situation varies with the OS:
For Linux, the motherboard or CPU hardware random source
will be available as an extra character device which may
be named /dev/hwrandom or a hardware specific name
(varies with the Linux dist). A user mode daemon reads
this device and feeds the random bits into /dev/random
for use by /dev/random and /dev/urandom.
For BSD and other UNIX variants, I have no information
at this time.
For NT based MS Windows, support for the Intel RNG
apparently never got integrated into the CryptoAPI
system PRNG (which servers the same purpose as
/dev/random). It is unclear if recent Windows
versions, with their general focus on integration with
TPM chips, also use the TPM chip (if present) as an RNG
input to the system PRNG, and if so, which of the
multiple current System PRNG APIs that use it.
It sounds like most of the low-entropy keys discovered by Lenstra+co belong not
to desktop/server machines but to embedded devices such as firewalls or VPN
boxes; it's easy to imagine that such a device, without a hardware RNG and
generating its secret key immediately after its first boot, fresh from factory
initialization, could have a hard time getting enough entropy.
Some could also be from the Debian/Ubuntu bug I
mentioned in an earlier post.
In the past few years I have also come across some
semi-embedded devices that won't let the user regenerate
or change the built-in https-management X.509 certificate and its key.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
