[cryptography] Intel RNG

Matthew Green matthewdgreen at gmail.com
Mon Jun 18 08:26:27 EDT 2012


The fact that something occurs routinely doesn't actually make it a good idea. I've seen stuff in FIPS 140 evaluations that makes my skin crawl. 

This is CRI, so I'm fairly confident nobody is cutting corners. But that doesn't mean the practice is a good one. 

On Jun 18, 2012, at 5:52 AM, Paweł Krawczyk <pawel.krawczyk at hush.com> wrote:

> Well, who otherwise should pay for that? Consumer Federation of America?
> It's quite normal practice for a vendor to contract a 3rd party that
> performs a security assessment or penetration test. If you are a smartcard
> vendor it's also you who pays for Common Criteria certification of your
> product.
> 
> -----Original Message-----
> From: cryptography-bounces at randombit.net
> [mailto:cryptography-bounces at randombit.net] On Behalf Of Francois Grieu
> Sent: Monday, June 18, 2012 11:04 AM
> To: cryptography at randombit.net
> Subject: Re: [cryptography] Intel RNG
> 
> dj at deadhat.com wrote:
> 
>> CRI has published an independent review of the RNG behind the RdRand
>> instruction:
>> http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf
> 
> where *independent* is to be taken as per this quote:
>   "This report was prepared by Cryptography Research, Inc. (CRI)
>    under contract to Intel Corporation"
> 
>  Francois Grieu
> 
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
> 
> 
> 
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



More information about the cryptography mailing list