[cryptography] RDRAND not really random with Oracle Studio 12.3 + patches
dj at deadhat.com
Mon Jun 13 00:16:22 EDT 2016
On 6/10/2016 4:50 PM, Jeffrey Walton wrote:
> Ouch... just came across this...
> I did not think it was possible to foul the hardware generated random
> numbers (sans an occasional underflow).
> cryptography mailing list
> cryptography at randombit.net
While the code doesn't follow the SDG guidelines (I.E. it doesn't check
for the return status and it doesn't check for the instruction support)
it should work because RdRand doesn't underflow in any of our chips. Is
this running in a VM or on bare metal? A VM intercept could cause it to
happen. Also if you did get an underflow the resulting value passed to
the pointed to location would be 0.
I tried compiling that code on an Ivy Bridge machine running Linux, but
it failed to compile..
>gcc rdrand.c -o rdrand
rdrand.c:1:29: fatal error: sys/immintrin.h: No such file or directory
So I pointed the header to the right place and spend an eternity finding
I needed the -mrdrnd target to make the intrinsic happy.
#include <sys/immintrin.h> --> #include <immintrin.h>
>gcc -mrdrnd rdrand.c -o rdrand
and of course it worked.. (also check out this fine example of Benford's
law resulting from the base change to decimal)
47548 1558559191 2755117154251474975
50537 3898659232 2936332874890231466
40031 1552195508 10170037297392088344
5444 1986582987 12501565610254954363
51634 1349842509 17357073879924565963
59068 1088061637 3243797942283965136
25115 1206811090 13419374814453446609
5749 1685023546 13986067242084897708
36940 1839303180 17932264519825487916
20741 1220949897 4022801322442653892
So it must be some sort of compiler bug or VM problem.
We work with many vendors to make sure the RdRand and RdSeed support is
done correctly and securely. So I'd like to make sure this is resolved.
More information about the cryptography