[cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Jul 12 22:20:13 EDT 2013

Nico Williams <nico at cryptonector.com> writes:

>I'd like to understand what attacks NSA and friends could mount, with Intel's
>witting or unwitting cooperation, particularly what attacks that *wouldn't*
>put civilian (and military!) infrastructure at risk should details of a
>backdoor leak to the public, or *worse*, be stolen by an antagonist.  

Right.  How exactly would you backdoor an RNG so (a) it could be effectively
used by the NSA when they needed it (e.g. to recover Tor keys), (b) not affect
the security of massive amounts of infrastructure, and (c) be so totally
undetectable that there'd be no risk of it causing a s**tstorm that makes the
$0.5B FDIV bug seem like small change (not to mention the legal issues, since
this one would have been inserted deliberately, so we're probably talking bet-
the-company amounts of liability there).

>I'm *not* saying that my wishing is an argument for trusting Intel's RNG --
>I'm sincerely trying to understand what attacks could conceivably be mounted
>through a suitably modified RDRAND with low systemic risk.

Being careful is one thing, being needlessly paranoid is quite another.  There
are vast numbers of issues that crypto/security software needs to worry about
before getting down to "has Intel backdoored their RNG".


More information about the cryptography mailing list