From eugen@leitl.org Fri Sep  6 18:33:54 2013
From: Eugen Leitl <eugen@leitl.org>
To: cypherpunks@lists.cpunks.org
Subject:
 Re: [liberationtech] Random number generation being influenced - rumors
Date: Sat, 07 Sep 2013 00:33:51 +0200
Message-ID: <20130906223351.GG29404@leitl.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7876689217169355020=="

--===============7876689217169355020==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

----- Forwarded message from Maxim Kammerer <mk(a)dee.su> -----

Date: Sat, 7 Sep 2013 00:51:19 +0300
From: Maxim Kammerer <mk(a)dee.su>
To: liberationtech <liberationtech(a)lists.stanford.edu>
Subject: Re: [liberationtech] Random number generation being influenced - rum=
ors
Reply-To: liberationtech <liberationtech(a)lists.stanford.edu>

On Fri, Sep 6, 2013 at 10:34 PM, Andy Isaacson <adi(a)hexapodia.org> wrote:
> This is not to say that RdRand is completely unusable.  Putting RdRand
> entropy into a software pool implementation like /dev/urandom (or
> preferably, a higher-assurance multipool design like Fortuna) is a cheap
> way to prevent a putative backdoor from compromising your system state.

Nearly nothing from what you wrote is relevant to RDRAND, which is not
a pure HWRNG, but implements CTR_DRBG with AES (unclear whether
128/192/256) from NIST SP 800-90A [1,2]. Interaction with hardware
entropy source (ES) is implemented in microcode, so in case the
relevant microcode is reverse-engineered (or relevant documentation
obtained from Intel), it is possible to verify correctness of most of
RDRAND operation. ES operation could be perhaps analyzed in a lab.

The choice of CTR_DRBG over (probably much faster) Hash_DRBG seems
weird on first sight, but secure hashes are not yet available in Intel
processors [3]. Of course, an interesting conspiracy theory would then
be that NSA influenced Intel to delay secure hash instructions
deployment after breaking AES in order to exploit an AESNI-based
RDRAND.

[1] http://software.intel.com/en-us/articles/intel-digital-random-number-gene=
rator-drng-software-implementation-guide
[2] http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
[3] http://software.intel.com/en-us/articles/intel-sha-extensions

--=20
Maxim Kammerer
Libert=C3=A9 Linux: http://dee.su/liberte
--=20
Liberationtech is a public list whose archives are searchable on Google. Viol=
ations of list guidelines will get you moderated: https://mailman.stanford.ed=
u/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change p=
assword by emailing moderator at companys(a)stanford.edu.

----- End forwarded message -----
--=20
Eugen* Leitl <a href=3D"http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

--===============7876689217169355020==--