[cryptography] Intel RNG

dj at deadhat.com dj at deadhat.com
Tue Jun 19 21:58:37 EDT 2012


> On 06/19/2012 02:11 PM, coderman wrote:
>>
>> the sanity checks, being on die, are limited. you can't run DIEHARD
>> against this in a useful manner because the DRBG obscures anything
>> useful.
>
> I don't think there's anything useful diehard (specifically) is going to
> tell you.
>
> The raw entropy source output would not be expected to pass diehard. The
> CR report shows visible artifacts in that FFT graph. The entropy
> estimation function one would apply to that source would likely be much
> simpler than the diehard suite. Just a sanity check that the output is
> actually changing once in a while would go a long way towards
> eliminating the most common failure modes.
>
> On the other hand, the AES CTR DRBG output will always pass diehard,
> whether it contains any entropy or not.
>

Yup. Actually having a perfect source is a problem. It's much easier to
test for a source with known defects that meet a well defined statistical
model. With that you can build a test that the circuit is built correctly.
You can also show it catches all SPOF and DPOF cases. You use other
techniques to prove that if built right, the circuit will have a well
defined min entropy in the output.





More information about the cryptography mailing list