[cryptography] [liberationtech] Random number generation being influenced - rumors

Eugen Leitl eugen at leitl.org
Sat Sep 7 07:14:02 EDT 2013


----- Forwarded message from Andy Isaacson <adi at hexapodia.org> -----

Date: Fri, 6 Sep 2013 22:24:00 -0700
From: Andy Isaacson <adi at hexapodia.org>
To: liberationtech <liberationtech at lists.stanford.edu>
Subject: Re: [liberationtech] Random number generation being influenced - rumors
User-Agent: Mutt/1.5.20 (2009-06-14)
Reply-To: liberationtech <liberationtech at lists.stanford.edu>

On Sat, Sep 07, 2013 at 12:51:19AM +0300, Maxim Kammerer wrote:
> On Fri, Sep 6, 2013 at 10:34 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> > This is not to say that RdRand is completely unusable.  Putting RdRand
> > entropy into a software pool implementation like /dev/urandom (or
> > preferably, a higher-assurance multipool design like Fortuna) is a cheap
> > way to prevent a putative backdoor from compromising your system state.
> 
> Nearly nothing from what you wrote is relevant to RDRAND, which is not
> a pure HWRNG, but implements CTR_DRBG with AES (unclear whether
> 128/192/256) from NIST SP 800-90A [1,2].

That's the claimed design, yes.  I see no particular reason to believe
that the hardware in my server implements the design.  I can't even test
that the AES whitening does what it is documented to do, because Intel
refused to provide access to the prewhitened input.

Providing accessible "test points" (software interfaces to the innards
of the implementation, with documentation of expected behavior between
the components) would be the absolute minimum to provide believable
assurance of the absence of a backdoor.  Better would be documents from
Intel of how the chip is designed at the mask level, and a third party
mill-and-microphotograph of a retail chip showing that the shipped
implementation matches the design.

Intel will never go for that, of course, since their chip masks are
their jealously guarded IP.  Since they can't provide evidence of a lack
of a backdoor, any reasonably cautious user should avoid depending on
Intel's implementation.

-andy
-- 
Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5


More information about the cryptography mailing list