[cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

William Yager will.yager at gmail.com
Sat Jul 13 01:38:52 EDT 2013

There are plenty of ways to design an apparently random number generator so
that you can predict the output (exactly or approximately) without causing
any obvious flaws in the pseudorandom output stream. Even the smallest bias
can significantly reduce security. This could be a critical failure, and we
have no way to determine whether or not it is happening.

As for preventing potential security holes and making the backdoor
deniable, that takes a little more thinking.

And for legal issues, there are any number of hand-wavy blame-shifting
schemes that Intel and whoever would want to backdoor their RNG could use.

I contest the idea that we should ignore the fact that Intel's RNG could be
backdoored. Just because other problems exist doesn't mean we should ignore
this one. I agree that perhaps worrying about this constitutes being "too
paranoid", but no cryptographer ever got hurt by being too paranoid, and
not trusting your hardware is a great place to start.

On Fri, Jul 12, 2013 at 7:20 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz>wrote:

> Nico Williams <nico at cryptonector.com> writes:
> >I'd like to understand what attacks NSA and friends could mount, with
> Intel's
> >witting or unwitting cooperation, particularly what attacks that
> *wouldn't*
> >put civilian (and military!) infrastructure at risk should details of a
> >backdoor leak to the public, or *worse*, be stolen by an antagonist.
> Right.  How exactly would you backdoor an RNG so (a) it could be
> effectively
> used by the NSA when they needed it (e.g. to recover Tor keys), (b) not
> affect
> the security of massive amounts of infrastructure, and (c) be so totally
> undetectable that there'd be no risk of it causing a s**tstorm that makes
> the
> $0.5B FDIV bug seem like small change (not to mention the legal issues,
> since
> this one would have been inserted deliberately, so we're probably talking
> bet-
> the-company amounts of liability there).
> >I'm *not* saying that my wishing is an argument for trusting Intel's RNG
> --
> >I'm sincerely trying to understand what attacks could conceivably be
> mounted
> >through a suitably modified RDRAND with low systemic risk.
> Being careful is one thing, being needlessly paranoid is quite another.
>  There
> are vast numbers of issues that crypto/security software needs to worry
> about
> before getting down to "has Intel backdoored their RNG".
> Peter.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130712/82f00762/attachment.html>

More information about the cryptography mailing list