[onerng talk] design decision questions

Jim Cheetham jim at gonzul.net
Mon Dec 29 00:36:32 GMT 2014

On Mon, Dec 29, 2014 at 1:07 PM, Gerd v. Egidy <lists at egidy.de> wrote:
> To protect the device against hardware tampering or replacement against a fake
> device I'd suggest different methods like digitally signing and encrypting the
> usb datastream, combined with activating the readout protection and filling the
> shield with epoxy.

I'm not sure that signing/encrypting the datastream would actually
protect you from any attacks except USB bus sniffing, and if you care
about your RNG you will also care about the hardware environment. If
you can be sure that you're talking to the correct hardware, verifying
the firmware on the device is similar to verifying that the firmware
signed some data it sent out.

As far as the epoxy argument goes, this is a great protection against
post-delivery tampering but not a protection against supply-chain
tampering. We mitigate supply-chain tampering by keeping things simple
and helping you to verify them, obviously we can't help you with any
post-delivery tampering and again, you need to care about your own
hardware environment. If you don't intend to reprogram the device,
epoxy on the programmer port is a great start - although I'd probably
suggest tamper-proof/forensic tape as a secondary option.


More information about the Discuss mailing list