[cryptography] Intel RNG
Kevin W. Wall
kevin.w.wall at gmail.com
Fri Jun 22 17:42:12 EDT 2012
Am I missing something?
On Fri, Jun 22, 2012 at 1:06 PM, Marsh Ray <marsh at extendedsubset.com> wrote:
> On 06/21/2012 09:05 PM, ianG wrote:
>> On 22/06/12 06:53 AM, Michael Nelson wrote:
>> It's a natural human question to ask. "I want to see what's under the
>> hood." But it seems there is also a very good response - if you can
>> see under the hood, so can your side-channel-equipped attacker.
> It seems to me that the bits one gets to see via RdRand aren't a side
> channel, by defintion. But if the attacker gets to see a disjoint set of
> samples from the same oscillator then we only need to worry about
> dependencies lurking between the sample sets.
> The oscillator is a fairly simple circuit, so it should be straightforward
> to show it has a memory capacity of only bit or two. Allowing the oscillator
> to run for a few cycles between sample sets going to different consumers
> should eliminate the possibility of short term dependencies.
You wrote "going to DIFFERENT consumers". I am interpreting that as
different processes, but I don't see how a CPU instruction like RdRand
or anything else is going to be process or thread or <insert your favorite
security context here> aware. If you would have omitted the "different",
then it would have made sense.
So am I just reading too much into your statement and you didn't really
mean "*different* consumers" or am I simply not understanding what
you meant? If the latter, if you could kindly explain.
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein
More information about the cryptography