[cryptography] on using RDRAND [was: Entropy improvement: haveged + rngd together?]

Stephan Mueller smueller at chronox.de
Tue Dec 3 01:48:34 EST 2013

Am Sonntag, 1. Dezember 2013, 20:27:34 schrieb dj at deadhat.com:

Hi dj,

> I would not characterize the Linux RNG issue as "fully resolved" in any
> way. Until every CPU maker includes a source of entropy by design (instead
> of by accident) and the Kernel gets off its high horse and chooses to use
> them and the kernel gets pre-configured in distros with sane parameters,
> crypto software will continue to fail from low entropy situations.

I would suggest you reconsider your last statement. As the noise source 
offered by Intel or any other silicon is a black box by its nature, not 
everybody is comfortable in using it, considering that the noise sources are 
the very fundament the entire cryptography rests on. Thus, using RDRAND or any 
other black box noise source per default in the kernel is just wrong.

And as long as even all aspects of the design are not published, being 
cautious about a noise source is good. I wish that Intel would release the 
detailed scematics and their analysis/testing of the noise source 
implementation. As a hardware RNG based on flip-flops or oscillators is not 
really rocket science, I do not understand why this information is held back. 
Moreover, it would have helped if access to the raw noise source would have 
been given for re-verifying the characteristics of the noise source.

The only acceptable way IMHO that works with all is: choice. And that choice 
is given to us via rngd. Ok, you may move the choice to kernel land, but 
still, it shall stay as a choice.

| Cui bono? |

More information about the cryptography mailing list