[cryptography] Intel RNG

ianG iang at iang.org
Thu Jun 21 22:05:42 EDT 2012


On 22/06/12 06:53 AM, Michael Nelson wrote:
>> James A. Donald wrote:
>
>>
>
>> I see no valid case for on chip whitening.  Whitening looks like a classic job for
>> software.  Why
> waste chip real estate on something that will only be used
>
> On that Intel forum site someone pointed to, one of the Intel guys said with respect to the whitening and health testing processes:
>
> "At the output of the DRBG, through RdRand, you have no visibility of these
> processes. We seek to limit the side channels through which an attacker could
> determine the internal state of the DRNG."

Good answer!

> I suppose that if the rng was shared between multiple processes, and if a malicious process could read the internal state, then it could predict what another process was going to be given in the near future.
>
> That said, I think that it's a natural factoring to let the user see the bits directly from the hardware source, before any massaging.  Perhaps this could be a mode.


It's a natural human question to ask.  "I want to see what's under the 
hood."  But it seems there is also a very good response - if you can see 
under the hood, so can your side-channel-equipped attacker.

So what you get is what you get.  Love it or leave it.

There is something else to make one slightly skeptical about going 
further in this analysis.  It's somewhat well known that the microcode 
under the chip and other things can be manipulated, and that entire 
batches of special chips can be set up for special customers.  So we 
have a situation where we can rely on the chip to do what is advertised, 
but we can't rely on the manufacturer to give us exactly the chip that 
they advertised.

Bummer.  Same as it ever was.  Use the DRBG as an input into the 
software mix, it can't hurt, and it probably helps an awful lot.



iang



More information about the cryptography mailing list