[cryptography] [liberationtech] Random number generation being influenced - rumors
ggr at seer-grog.net
Mon Sep 9 01:18:07 EDT 2013
On Sep 8, 2013, at 22:10 , coderman <coderman at gmail.com> wrote:
> On Sun, Sep 8, 2013 at 10:05 PM, coderman <coderman at gmail.com> wrote:
>> none of these are compelling reasons to not release raw access to the
>> entropy stream from hardware noise sources.*
> * i meant to add, there have been various justifications put forth.
> again, none of them compelling. for every potential risk to the RDRAND
> / RDSEED consumers, there is a trivial way to reset / reseed / refill
> the system in a way that could accommodate both raw access to the
> entropy bits while retaining the assurances of RDRAND / RDSEED.
> and for every claim that such a transition represents an opportunity
> for DoS, there is a trivial elevated permissions which could
> accommodate such transitions only when authorized.
> and so forth and so on, to no effect. the lines have been drawn, and
> nothing will convince Intel to release raw access to the entropy
I actually hate to point this out, but having access to something that "looks like" a raw entropy source proves nothing. Given a design for a hardware RNG, with a characterization of its biases, I could straightforwardly take a stream generated by AES in counter mode with a 32-bit counter and do a kind of reverse distillation to make it look like the output from such a hardware RNG. Then, if the adversary knows what software is used to distill the entropy (and the AES key), the game is still over.
More information about the cryptography