----- Forwarded message from Andy Isaacson <adi@hexapodia.org> ----- Date: Fri, 6 Sep 2013 22:24:00 -0700 From: Andy Isaacson <adi@hexapodia.org> To: liberationtech <liberationtech@lists.stanford.edu> Subject: Re: [liberationtech] Random number generation being influenced - rumors User-Agent: Mutt/1.5.20 (2009-06-14) Reply-To: liberationtech <liberationtech@lists.stanford.edu> On Sat, Sep 07, 2013 at 12:51:19AM +0300, Maxim Kammerer wrote:

On Fri, Sep 6, 2013 at 10:34 PM, Andy Isaacson <adi@hexapodia.org> wrote:

...

This is not to say that RdRand is completely unusable. Putting RdRand entropy into a software pool implementation like /dev/urandom (or preferably, a higher-assurance multipool design like Fortuna) is a cheap way to prevent a putative backdoor from compromising your system state.

Nearly nothing from what you wrote is relevant to RDRAND, which is not a pure HWRNG, but implements CTR_DRBG with AES (unclear whether 128/192/256) from NIST SP 800-90A [1,2].

That's the claimed design, yes. I see no particular reason to believe that the hardware in my server implements the design. I can't even test that the AES whitening does what it is documented to do, because Intel refused to provide access to the prewhitened input. Providing accessible "test points" (software interfaces to the innards of the implementation, with documentation of expected behavior between the components) would be the absolute minimum to provide believable assurance of the absence of a backdoor. Better would be documents from Intel of how the chip is designed at the mask level, and a third party mill-and-microphotograph of a retail chip showing that the shipped implementation matches the design. Intel will never go for that, of course, since their chip masks are their jealously guarded IP. Since they can't provide evidence of a lack of a backdoor, any reasonably cautious user should avoid depending on Intel's implementation. -andy -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys@stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5