[cryptography] Design Strategies for Defending against Backdoors

Krisztián Pintér pinterkr at gmail.com
Mon Nov 18 13:01:03 EST 2013


> Intel still has not released raw access to their entropy sources;
> RDRAND and RDSEED both passing through the conditioner (AES-CBC-MAC),
> RDRAND also munged via AES CTR_DRBG (per NIST).

the more i think about it, the less it makes sense. the possible user
base for in-cpu hw random equals to approx 7 global: the different
operating systems we have. any user mode programs accessing any
entropy sources directly are just doing it wrong. but operating
systems do not need processed randomness at all. they already have
entropy collectors and randomness extractors. all they need is
reliable and rich entropy sources, together with a low estimate on
their entropy content. they can easily add the cpu generator as
another source, and we are good to go.

yes, there are a few applications that need an independent random
source, for whatever reason. those applications are written by
experts, and they are quite capable of writing their own randomness
extractor. in fact they *must* write their own extractor.

tl;dr: adding processing layer to the hw generator benefits no one,
and there is no way intel did not know that. it stinks. it stinks bad.



More information about the cryptography mailing list