
Cache Attacks on CTR_DRBG - shaananc
https://security.cohney.info/blackswans/
======
RcouF1uZ4gsC
With all these side channel attacks, I am suspecting that there may be a SPS
theorem.

Given shared CPU, performance, and security, you can at best get 2 out of the
three.

------
lacker
What systems use this PRNG? While Googling around I found it surprisingly hard
to figure out what algorithm is used for random number generation on e.g.
Linux getrandom or the Chrome implementation of the Web Crypto API. Am I
looking at the wrong layer of the stack?

~~~
tptacek
CTR_DRBG is basically the simplest reasonable CSPRNG, and a
formalization/standardization of what other CSPRNGs do. As such, it's a good
stationary "target" for research work. It's probably not a great idea to freak
out about its presence in a design, since other designs will have similar
flaws: if you have untrusted cotenant applications on the same hardware, side-
channel attacks against your CSPRNG are going to be an issue.

In particular: these attacks all appear to rely on classic cache-timing
attacks against software AES. The "vulnerability" in these systems, then,
isn't so much the CSPRNG construction so much as the use of a faulty
vulnerable software AES primitive. Even FIPS-mode OpenSSL uses a hardware AES,
and so the paper has to target an older version.

~~~
GhettoMaestro
As someone who has worked for a decade and a half with various asymmetric and
symmetric ciphers and hashes in my field, I am embarrassed to admit that the
inner-workings of a RNG/CSPRNG are still a bit cryptic to me.

Slightly off-topic: Would it be near-impossible to have a hardware-level RNG
generator that spits out bits at a sufficient enough rate to avoid software-
based RNG schemes? My thought is to have a very-very-vetted hardware RNG, and
use that as an anchor to build off of.

~~~
tptacek
You mean like RDRAND? They exist, but if they're built into COTS platforms,
you have to trust then, and if they're not, you have to do extra work to
assure the joinery and handle failure modes.

To break the attack in this paper, you don't even need a hardware RNG; you
just need hardware AES, like most modern platforms have (and like most
mainstream operating systems use by default).

~~~
GhettoMaestro
Yeah like RDRAND, but not compromised :P.

Suddenly after I read what you typed about RDRAND it clicked to me - you must
never fully trust the hardware. Even if you TRUST the HW RNG, what is the harm
of combining it into a broader RNG (assuming you know what you are doing).

Thanks for your time.

~~~
pg_is_a_butt
seed the whole system with live bitstream of a video feed trained on a wall
full of lava lamps

------
robocat
Complete aside, but "black swan" is a terribly bad metaphor. 5 minutes drive
and I can see _hundreds_ of black swans, and not a single white one...

~~~
robocat
Edit: not sure why the downvotes - because factually incorrect opinion or off-
topic?I don't live far from here:
[https://www.christchurchdailyphoto.com/2011/09/29/black-
swan...](https://www.christchurchdailyphoto.com/2011/09/29/black-swans-on-the-
estuary/)

Edit 2: looked up the metaphor, it really fails when I'm only surrounded by
black swans. There are occasional white swans too - I have always presumed
swans were migratory like plenty of the water foul over here!

