[cryptography] [liberationtech] Random number generation being influenced - rumors

Greg Rose ggr at seer-grog.net
Mon Sep 9 01:18:07 EDT 2013


On Sep 8, 2013, at 22:10 , coderman <coderman at gmail.com> wrote:

> On Sun, Sep 8, 2013 at 10:05 PM, coderman <coderman at gmail.com> wrote:
>> ...
>> none of these are compelling reasons to not release raw access to the
>> entropy stream from hardware noise sources.*
> 
> * i meant to add, there have been various justifications put forth.
> again, none of them compelling. for every potential risk to the RDRAND
> / RDSEED consumers, there is a trivial way to reset / reseed / refill
> the system in a way that could accommodate both raw access to the
> entropy bits while retaining the assurances of RDRAND / RDSEED.
> 
> and for every claim that such a transition represents an opportunity
> for DoS, there is a trivial elevated permissions which could
> accommodate such transitions only when authorized.
> 
> and so forth and so on, to no effect.  the lines have been drawn, and
> nothing will convince Intel to release raw access to the entropy
> source.

I actually hate to point this out, but having access to something that "looks like" a raw entropy source proves nothing. Given a design for a hardware RNG, with a characterization of its biases, I could straightforwardly take a stream generated by AES in counter mode with a 32-bit counter and do a kind of reverse distillation to make it look like the output from such a hardware RNG. Then, if the adversary knows what software is used to distill the entropy (and the AES key), the game is still over.

Greg.



More information about the cryptography mailing list