[cryptography] Intel RNG
iang at iang.org
Thu Jun 21 22:05:42 EDT 2012
On 22/06/12 06:53 AM, Michael Nelson wrote:
>> James A. Donald wrote:
>> I see no valid case for on chip whitening. Whitening looks like a classic job for
>> software. Why
> waste chip real estate on something that will only be used
> On that Intel forum site someone pointed to, one of the Intel guys said with respect to the whitening and health testing processes:
> "At the output of the DRBG, through RdRand, you have no visibility of these
> processes. We seek to limit the side channels through which an attacker could
> determine the internal state of the DRNG."
> I suppose that if the rng was shared between multiple processes, and if a malicious process could read the internal state, then it could predict what another process was going to be given in the near future.
> That said, I think that it's a natural factoring to let the user see the bits directly from the hardware source, before any massaging. Perhaps this could be a mode.
It's a natural human question to ask. "I want to see what's under the
hood." But it seems there is also a very good response - if you can see
under the hood, so can your side-channel-equipped attacker.
So what you get is what you get. Love it or leave it.
There is something else to make one slightly skeptical about going
further in this analysis. It's somewhat well known that the microcode
under the chip and other things can be manipulated, and that entire
batches of special chips can be set up for special customers. So we
have a situation where we can rely on the chip to do what is advertised,
but we can't rely on the manufacturer to give us exactly the chip that
Bummer. Same as it ever was. Use the DRBG as an input into the
software mix, it can't hurt, and it probably helps an awful lot.
More information about the cryptography