[cryptography] on using RDRAND [was: Entropy improvement: haveged + rngd together?]

Stephan Mueller smueller at chronox.de
Wed Dec 4 06:23:52 EST 2013

Am Dienstag, 3. Dezember 2013, 15:25:22 schrieb coderman:

Hi coderman,

> On Mon, Dec 2, 2013 at 11:02 PM, Stephan Mueller <smueller at chronox.de> 
> > ...
> > Interesting: I have the same type of discussion (SP800-90B) to prepare
> > (and
> > even went through it -- see [1]) and I do not see it that problematic, if
> > you have the right hooks into your noise source implementation (and I
> > could imagine that this is a challenge with the current RDSEED/RDRAND
> > implementation).
> one of the beautiful aspects of the RDRAND/RDSEED design is that
> un-trusting consumers can use it concurrently without leaking any
> useful information between them. consider multiple guest OS'es using
> the instruction directly.
> raw sampling of the sources would provide bias that _might_ be useful
> to a malicious consumer attempting to compromise the entropy of other
> processes or domains, if done naively.
I concur with you here. And I do not ask for the availability of that 
information in any privilege level. I would be fine if that is available only 
in ring 0 and in VM root mode.

> > I spoke with several NIST folks involved in the RNG process in September.
> > And they are not ignorant. Therefore, I would not suggest that we imply
> > anything here!
> are there other organizations that might provide some weight to these
> efforts?  IETF?

The German BSI performs RNG analyses for quite some time. See


| Cui bono? |

More information about the cryptography mailing list