[cryptography] Intel RNG

Kevin W. Wall kevin.w.wall at gmail.com
Fri Jun 22 17:42:12 EDT 2012


Marsh,

Am I missing something?

On Fri, Jun 22, 2012 at 1:06 PM, Marsh Ray <marsh at extendedsubset.com> wrote:
> On 06/21/2012 09:05 PM, ianG wrote:
>>
>>
>> On 22/06/12 06:53 AM, Michael Nelson wrote:
[snip]

>> It's a natural human question to ask. "I want to see what's under the
>> hood." But it seems there is also a very good response - if you can
>> see under the hood, so can your side-channel-equipped attacker.
>
> It seems to me that the bits one gets to see via RdRand aren't a side
> channel, by defintion. But if the attacker gets to see a disjoint set of
> samples from the same oscillator then we only need to worry about
> dependencies lurking between the sample sets.
>
> The oscillator is a fairly simple circuit, so it should be straightforward
> to show it has a memory capacity of only bit or two. Allowing the oscillator
> to run for a few cycles between sample sets going to different consumers
> should eliminate the possibility of short term dependencies.

You wrote "going to DIFFERENT consumers". I am interpreting that as
different processes, but I don't see how a CPU instruction like RdRand
or anything else is going to be process or thread or <insert your favorite
security context here> aware.  If you would have omitted the "different",
then it would have made sense.

So am I just reading too much into your statement and you didn't really
mean "*different* consumers" or am I simply not understanding what
you meant? If the latter, if you could kindly explain.

Thanks,
-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein



More information about the cryptography mailing list