[cryptography] Random number generation influenced, HW RNG

Eugen Leitl eugen at leitl.org
Sat Sep 7 15:05:33 EDT 2013

On Sat, Sep 07, 2013 at 10:48:02AM -0700, David Johnston wrote:

> It interesting to consider the possibilities of corruption and
> deception that may exist in product design. It's a lot more alarming
> when it's your own design that is being accused of having been
> backdoored. Claiming the NSA colluded with intel to backdoor RdRand
> is also to accuse me personally of having colluded with the NSA in
> producing a subverted design. I did not.

There is no way for us to check what Intel ships. A trustable
system must be inspectable, so that we actually don't have to
guess what it does, but can actually check.

This pretty much rules out CPU-integral RNGs. It has to be
a third-party add-on (USB or PCIe), and it has to be open hardware.

Additional advantage of a kit-like approach (say, FPGA that ships
without a blob that has to be downloaded from a depository) is that
you can circument IP issues, and don't have a manufacturer who
can be forced into backdooring the system.
> A quick googling revealed many such instances of statements to this
> effect, strewn across the internet, based on inferences from the
> Snowden leaks and resulting Guardian and NYT articles.
> I personally know it not to be true and from my perspective, the
> effort we went to improve computer security by making secure random
> numbers available and ubiquitous in a low attack-surface model is
> now being undermined by speculation that would lead people to use

How badly patent-entangled is Intel's RNG? Can the fundamental
principle be extracted into an open design?

> less available, less secure RNGs. This I expect would serve the
> needs of the NSA well.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130907/44ac6aa9/attachment.asc>

More information about the cryptography mailing list