[cryptography] Intel RNG
thierry.moreau at connotech.com
Thu Jun 21 20:49:39 EDT 2012
James A. Donald wrote:
> James A. Donald wrote:
> > > I see no valid case for on chip whitening. Whitening
> > > looks like a classic job for software. Why waste chip
> > > real estate on something that will only be used 0.001% of
> > > the time.
> On 2012-06-22 6:53 AM, Michael Nelson wrote:
> > I suppose that if the rng was shared between multiple
> > processes, and if a malicious process could read the
> > internal state, then it could predict what another process
> > was going to be given in the near future.
> To the extent that rng generates true randomness, it can only partially
> predict. Assuming that each process collects sufficient true randomness
> for its purposes, not a problem. That is the whole point and purpose of
> generating true randomness.
Just a few more random arguments in this discussion.
The NIST SP800-90 architecture, which is used in the Intel RNG, has
(A) a true random sampling process which "provides less than full"
entropy, followed by
(B) an adaptation process, deterministic but not a NIST algorithm,
called "conditioning" which provides well quantified full entropy bits
(the designer has to make the demonstration that the goal is reached
given the available understanding of the random sampling process), and
(C) the DRBG (deterministic random bit generator) which is periodically
seeded by the output of the conditioning algorithm.
(A) is truly random, (B) and (C) are deterministic.
If your enemy has access to the data used by either the conditioning
algorithm or the DRBG, he can figure out their respective output.
Because the Intel RNG designers do not know which CPU request comes from
a user versus an enemy, so they only provide a unique and independent
output portion to each of them. One can not guess what the other
received. If the enemy can trace the user program with debugging support
CPU facilities, he might be in a position to eavesdrop an output portion
given to the user. Be careful.
But don't trust me about these explanations, I might be an enemy. At
least Intel designers don't trust me to audit their deterministic
algorithms implementations within production parts. So they protect your
secure applications, just in case my Trojan horse software is loaded
when your application runs.
As a concluding remark, ... well why should I share a conclusion with
potential enemies? You may as well (truly random) draw your own conclusion.
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
More information about the cryptography