[cryptography] [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

Ben Laurie ben at links.org
Sat Jul 13 04:43:14 EDT 2013

On 13 July 2013 03:20, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Nico Williams <nico at cryptonector.com> writes:
>>I'd like to understand what attacks NSA and friends could mount, with Intel's
>>witting or unwitting cooperation, particularly what attacks that *wouldn't*
>>put civilian (and military!) infrastructure at risk should details of a
>>backdoor leak to the public, or *worse*, be stolen by an antagonist.
> Right.  How exactly would you backdoor an RNG so (a) it could be effectively
> used by the NSA when they needed it (e.g. to recover Tor keys), (b) not affect
> the security of massive amounts of infrastructure, and (c) be so totally
> undetectable that there'd be no risk of it causing a s**tstorm that makes the
> $0.5B FDIV bug seem like small change (not to mention the legal issues, since
> this one would have been inserted deliberately, so we're probably talking bet-
> the-company amounts of liability there).
>>I'm *not* saying that my wishing is an argument for trusting Intel's RNG --
>>I'm sincerely trying to understand what attacks could conceivably be mounted
>>through a suitably modified RDRAND with low systemic risk.
> Being careful is one thing, being needlessly paranoid is quite another.  There
> are vast numbers of issues that crypto/security software needs to worry about
> before getting down to "has Intel backdoored their RNG".

But what's the argument for _not_ mixing their probably-not-backdoored
RNG with other entropy?

More information about the cryptography mailing list