Hi,
[yes, I understand the difference between random, pseudo-random, etc. I've chosen *random* in the subject line, deliberately.]
- All of the following happens without human intervention or supervision.
- Imagine deploying *identical* devices -- possibly differentiated from each other with just a small-ish serial number.
- The devices themselves are not physically secure -- an adversary could legally purchase one, dismantle it, etc. to determine its current state to any degree of exactness "for little investment". I.e., it is not possible to "hide secrets" in them at the time of manufacture.
- *Deployed* devices are secure (not easily tampered without being observed) though the infrastructure is vulnerable and should be seen as providing *no* security.
- The devices have some small amount (i.e., tens or hundreds of bytes) of persistent store.
- The devices download their operating "software" as part of their bootstrap.
- It is practically feasible for an adversary to selectively spoof the "image server" at IPL. (i.e., enter into a dialog with a particular device that is trying to boot at that time)
The challenge is to come up with a scheme by which only "approved" images can be executed on the device(s).
From (2), you have to assume the adversary effectively has the source code for your bootstrap (or can *get* it easily). I.e., you might as well *publish* it!
From (1) and (2), the "uniqueness" of a particular device is trivia that can easily be gleaned empirically.
From (5), any persistent *changes* to the device's state (e.g., (4)) can be observed *directly* (by a rogue image executing on the device)
*If* the challenge is met, then (3) suggests that (4) can become a true "secret".So, thwarting (6) seems to be the effective goal, here...
--
If the device can come up with a "truly" (cough) random number prior to initiating the bootstrap, then a key exchange protocol could be implemented that would add security to the "image transfer".
This "random" number can't depend on -- or be significantly influenced by -- observable events *outside* the device. It can't be possible for someone with copies of the (published!) source code, schematics, etc. to determine what a particular instance of this number is likely to be!
So, how to come up with a hardware entropy source to generate/augment this random number -- cheaply, reliably and in very little space?
Note that the time required to generate the datum is a prerequisite to completing the bootstrap. However, the actual sequencing of the bootstrap might allow the image to be transferred *while* the random number is generated and then *authenticated* afterwards (e.g., a signed secure hash computed ex post facto). If the image is large (more exactly, if the transport time is *long*), then this could buy considerable time for number generation!
If (4), then this can build upon previous "accumulated entropy".
I've been stewing over Schneier to get a better feel for just how much "new entropy" is required... in theory, a secure (4) suggests that very little *should* be required as long as the protocols don't allow replay attacks, etc. (?) But, I have yet to come up with hard and fast numbers (if that guy truly groks all this stuff, he would be amazing to share a few pitchers with!)
The ideas that come to mind (for small/cheap) are measuring thermal/avalanche noise. I can't see how an adversary could predict this sort of thing even with access to *detailed* operating environment data!
A potential vulnerability would be in detecting failures of the "entropy source". While the device in question could actively monitor its output and do some statistical tests on the data it generates, I suspect that monitoring would have to take place over a longer period of time than is available
*during* the bootstrap. [And, a savvy adversary could intentionally force a reboot *before* the software could indicate (to itself) that the RNG is defective to avoid it on subsequent boots!]Bottom line... I'm looking to pointers to practical sources for this randomness. Especially with guidelines on how to tweak the amount of entropy yielded per unit time, etc. (so I can scale the acquisition system to fit the bandwidth of that source, economically)
Thx,
--don