|
That was exactly what I was thinking about. This is a quite impractical attack, in the sense that if you are able to do that, you are able to do way more simple attacks, like tuning the final output without even going through the pretend & mine phase -- that could be more effective btw, depending on the mixing algo and the presence of true randomness in the mix or not, but arguably slightly easier to detect. So the hw rng path would only be reserved to extremely high profile targets subject to APT, and those target better generate their keys on dedicated hardware, or there will be 10000 manner for them to be owned. (and even if they do on dedicated hardware, subject to an attacker so motivated, I predict they are still owned...) And above all: you will also probably be able to modify others supposed sources of entropy (if you restrict yourself to sources, I still think it is a terrible idea if you have that kind of capabilities), so short of analyses showing why this would be way more difficult, dropping the dedicated hw gen for a theoretical problem that would also be an end-game for virtually everything else is insane. You get no actual advantages, and tons of drawbacks. Really, the hypothesis of what the attackers are able to do and what they are not makes no sense IMO; like: > For example, an attacker can't exert any serious control over the content of my keystrokes while I'm logged in; I don't see how hashing this particular content into my laptop's entropy pool can allow any attacks. Yeah, so that mythical unicorn can invoke utter craziness in RDRAND, but is somehow unable to modify the key inputs and/or timings just when that data reaches the entropy input algos? I just don't buy it. Like I don't buy that the user is somehow recomputing everything on a second computer and comparing both results (or using other fancy proof of work things, that I'm not aware that even exist on real code we are talking about). My litmus test is: imagining I'd have to attack, I would never do it by such a convoluted method. Or maybe only ever if Ben Laden Two is the target, AND if it seems to actually make sense in the technical context of the attack: the proba of both occurring is, I guess, quite low... |