[cryptography] on using RDRAND [was: Entropy improvement: haveged + rngd together?]

Stephan Mueller smueller at chronox.de
Wed Dec 4 06:23:52 EST 2013


Am Dienstag, 3. Dezember 2013, 15:25:22 schrieb coderman:

Hi coderman,

> On Mon, Dec 2, 2013 at 11:02 PM, Stephan Mueller <smueller at chronox.de> 
wrote:
> > ...
> > Interesting: I have the same type of discussion (SP800-90B) to prepare
> > (and
> > even went through it -- see [1]) and I do not see it that problematic, if
> > you have the right hooks into your noise source implementation (and I
> > could imagine that this is a challenge with the current RDSEED/RDRAND
> > implementation).
> 
> one of the beautiful aspects of the RDRAND/RDSEED design is that
> un-trusting consumers can use it concurrently without leaking any
> useful information between them. consider multiple guest OS'es using
> the instruction directly.
> 
> raw sampling of the sources would provide bias that _might_ be useful
> to a malicious consumer attempting to compromise the entropy of other
> processes or domains, if done naively.
> 
I concur with you here. And I do not ask for the availability of that 
information in any privilege level. I would be fine if that is available only 
in ring 0 and in VM root mode.

> 
> > I spoke with several NIST folks involved in the RNG process in September.
> > And they are not ignorant. Therefore, I would not suggest that we imply
> > anything here!
> 
> are there other organizations that might provide some weight to these
> efforts?  IETF?

The German BSI performs RNG analyses for quite some time. See

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_31_Functionality_classes_for_random_number_generators_e.pdf


Ciao
Stephan
-- 
| Cui bono? |


More information about the cryptography mailing list