[cryptography] [Cryptography] Random number generation influenced, HW RNG

Eugen Leitl eugen at leitl.org
Tue Sep 10 07:01:02 EDT 2013


----- Forwarded message from Eric Young <eay at pobox.com> -----

Date: Tue, 10 Sep 2013 20:58:20 +1000
From: Eric Young <eay at pobox.com>
To: Eugen Leitl <eugen at leitl.org>
Cc: cypherpunks at al-qaeda.net, info at postbiota.org, zs-p2p at zerostate.is, Cryptography List <cryptography at metzdowd.com>
Subject: Re: [Cryptography] [cryptography] Random number generation influenced, HW RNG
X-Mailer: Evolution 3.2.3-0ubuntu6

On Sun, 2013-09-08 at 13:27 +0200, Eugen Leitl wrote:
> ----- Forwarded message from "James A. Donald" <jamesd at echeque.com> -----
> On 2013-09-08 3:48 AM, David Johnston wrote:
> > Claiming the NSA colluded with intel to backdoor RdRand is also to
> > accuse me personally of having colluded with the NSA in producing a
> > subverted design. I did not.
> 
> Well, since you personally did this, would you care to explain the
> very strange design decision to whiten the numbers on chip, and not
> provide direct access to the raw unwhitened output.
> 
> A decision that even assuming the utmost virtue on the part of the
> designers, leaves open the possibility of malfunctions going
> undetected.

I may have missed this part of the thread, but I'm interested in knowing
the rational for letting the hyper-visor intercept the RDRAND call and
return any value it likes, bypassing the random hardware.

I've had one person speculate it would be useful for keeping 2 CPUs in
sync, (the TSC can also be intercepted), but it does worry me that
RDRAND calls can be rendered predictable by a compromised VM.

eric

For those interested,
Intel document 325462.pdf, "Intel® 64 and IA-32 Architectures Software
Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C"
Page 'Vol. 3C 27-23', Table 27-12. Format of the VM-Exit
Instruction-Information Field as Used for RDRAND



----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5


More information about the cryptography mailing list