[cryptography] Intel RNG

Andrew R. Reiter arr at watson.org
Wed Jun 20 08:44:17 EDT 2012


On Wed, 20 Jun 2012, James A. Donald wrote:

> On 2012-06-19 9:07 AM, dj at deadhat.com wrote:
>> It does tell you that if it is your chip and you don't let
>> someone else pull the lid off, scrape off the passivation and apply a pico
>> probe to it, it will certainly provide you with good random numbers
>> regardless of the FIPS mode.
>
> I don't know that.  Intel might have screwed up deliberately or 
> unintentionally, or my particular chip might fail in a way that produces 
> numbers that are non random, but, due to whitening, are non random in a way 
> that only some people know how to detect
>
> If intel told me how it worked, and provided low level access to raw 
> unwhitened output, I could find pretty good evidence that the low level 
> randomness generator was working as described, and perfect evidence that the 
> whitener was working as described.  Certification does not tell me anything 
> much.

One vague point, or at least vague to me (sigh :-/), on their chosen 
entropy analysis was the reason given for the n-gram check length  ranges. 
The CRI analysis states that M$ said the n-grams given (lengths 1 to 4) 
and the ranges of acceptable repeats of the n-grams within a 256-bit 
sequence were based on empirical evidence.  An Intel forum [1] said it was 
based on a binomial distribution.  It would seem important to understand 
their statistical model behind sanity checking the es.

Cheers,
Andrew
[1] http://software.intel.com/en-us/forums/showthread.php?t=104200



More information about the cryptography mailing list