Entropy Attacks
a year ago
- #security
- #cryptography
- #randomness
- Conventional wisdom suggests that hashing multiple entropy sources together is safe, but this may not hold if one source is malicious and can observe other sources.
- A malicious entropy source can manipulate the output of the hash function, such as forcing it to start with specific bits (e.g., '0000'), compromising cryptographic security.
- This manipulation can be particularly dangerous in cryptographic protocols like DSA and ECDSA, where predictable nonces can lead to secret key exposure.
- EdDSA mitigates this risk by being deterministic after initial randomness use, though a malicious source can still influence a few bits of the secret key.
- Randomness generation can also serve as a covert communication channel for attackers to exfiltrate sensitive data.
- Deterministic approaches to randomness generation, like deriving all needed randomness from a single secure key, can limit the influence of malicious sources.
- Current practices of continuously adding entropy may introduce vulnerabilities rather than enhance security.
- Claims about the necessity of constant entropy addition for security (e.g., in Linux's /dev/urandom) are criticized as unfounded.
- The concept of 'prediction resistance' in RNGs is questioned, especially if long-term keys are already compromised.
- The post advocates for a shift towards deterministic randomness generation to minimize risks from malicious entropy sources.