[cryptography] on using RDRAND [was: Entropy improvement: haveged + rngd together?]

Stephan Mueller smueller at chronox.de
Tue Dec 3 02:02:12 EST 2013


Am Montag, 2. Dezember 2013, 23:16:28 schrieb dj at deadhat.com:

Hi dj,

> > the work that you have done to make hardware entropy sources readily
> > available in Intel chips should be commended, and i certainly
> > appreciate it.  i will however continue to complain until it is even
> > better, with configurable access to the raw entropy samples for those
> > who wish to evaluate or run the TRNG in this mode.
> 
> I'm currently arguing with NIST about their specifications which make it
> hard to provide raw entropy while being FIPS 140-2 and NIST SP800-90

Interesting: I have the same type of discussion (SP800-90B) to prepare (and 
even went through it -- see [1]) and I do not see it that problematic, if you 
have the right hooks into your noise source implementation (and I could 
imagine that this is a challenge with the current RDSEED/RDRAND 
implementation).

> compliant. If I had a free hand, it would not be a configuration.
> Configurations suck in numerous ways. It would just be there.

This is not acceptable for many. When you are involved in the Intel RNG 
development, you may have insights. But I do not. And I trust that some three-
letter agencies are able to fumble with a large US vendor's implementation of 
a noise source (considering that they could hide their backdoored DRBG in 
plain sight for quite some time).

> 
> Chip design is a slow process. Standards writing is a slow process,
> especially when NIST is involved. When one depends on the other it is even
> slower. So don't hold your breath waiting for anything to happen.
> 
> Feel free to lean on NIST. I notice that they haven't even published the
> public comments yet. The comment period for SP800-90 ended over three
> weeks ago.

Maybe they got quite a few (including from me)?
> 
> The AES and SHA-3 competitions were not like this, even though RNG's are
> less glitzy, they are a more fundamental security feature but they're
> getting less attention from NIST.

I spoke with several NIST folks involved in the RNG process in September. And 
they are not ignorant. Therefore, I would not suggest that we imply anything 
here!

[1] https://www.bsi.bund.de/DE/Publikationen/Studien/LinuxRNG/index_htm.html

Ciao
Stephan
-- 
| Cui bono? |


More information about the cryptography mailing list