[cryptography] Intel RNG

Thor Lancelot Simon tls at panix.com
Tue Jun 19 09:17:57 EDT 2012

On Mon, Jun 18, 2012 at 09:58:59PM -0700, coderman wrote:
> this is very useful to have in some configurations (not just testing).
> for example: a user space entropy daemon consuming raw, biased,
> un-whitened, full throughput bits of lower entropy density which is
> run through sanity checks, entropy estimates, and other vetting before
> mixing/obscuring state, and feeding into host or application entropy
> pools.

Sanity checks, entropy estimates, and other vetting *which the output
of a DRBG keyed in a known way by your adversary will pass without
a hint of trouble*.

It seems to me the only reason you'd benefit from access to the raw
source would be if you believed Intel might have goofed the sanity
checks.  For my part, I am happy to rely on CRI's assurance that Intel's
sanity checks are good.

The only defense against a deliberately compromised hardware RNG is to
mix it with something else.

More information about the cryptography mailing list