[Cryptography] randomness for libraries, e.g. OpenSSL

ianG iang at iang.org
Wed Nov 30 06:15:02 EST 2016 

On 28/11/2016 16:37, Jerry Leichter wrote:
>>
>>> As a corollary:  We need to to inveigle the OS providers and
>>> hardware providers to solve the problem.
>> That.  Rather than spending energy on solving the problem in code, which is a really hard objective because of many factors, some of which are listed below, put the energy into Inveiglement....
> Ahem.  Intel went and provided the hardware.  And if you read the messages here ... you shouldn't trust it.


Right.  So Intel provided the hardware and it has weaknesses.  This is 
the same as other vendors providing the hardware, all hardware RNGs come 
with weaknesses.  Hence the need to pool & mix.

>  So what's the next step?

The answer circulates around an assumption - what is the platform that 
is the appropriate place to fix the RNG problem?  Is it Intel, which is 
clearly a platform and it fixes the problem with RDRAND, or is it 
OpenSSL which apps see as a crypto platform, or is it Linux?

The answer is I think - the platform that is lowest layer, in software, 
and in open source.  Everything below is out-of-control hardware, so can 
be seen as a separate source of entropy.  Everything above is user software.

Which makes it Linux.  Or *BSD or Windows.  Is where the problem should 
most efficiently be solved.

> (Audibility is a fine idea ... but how many people in the world have the knowledge, and access to the equipment, needed to check *the actual implementation on a state of the art chip*?)

Right.  When it gets to hardware, we are not only looking for an audit, 
we are totally dependent on it.  Which is not a good thing - and 
hardware therefore has this special status - mysterious, vaguely 
hopeful, branded.

> BTW, if we agree on a standard protocol for an external "random source" ... who's to say the next Intel chips won't recognize that standard protocol and send the bits being generated off to some some server in Utah or Russia or China?

Sure - but a standard source at a platform level like urandom is not 
easy for Intel to futz with.  It is issues like this that make the 
platform of efficient rectification open source.

If the RNG mix is in the OS, then Intel's chip has to look at the code, 
analyse where the RNGs are being mixed, and then dive in and futz with 
the instructions as they are coming out of the mixer.

Crazy, but doable in some corner of the 8bn transisters.  IIRC the 
permathread from about 3 years back, this argument came up when RDRAND 
was being treated as a post-mix action in Linux.  As RDRAND was now the 
last thing, it was somewhat more credible that an internal analysis 
could trigger just on RDRAND.

At the time I think it was acknowledged.  And RDRAND got pushed back 
upstream into the mix - or so it was intimated at the time.  Ideally, 
RDRAND should be "just another pluggable mixer".  And to amuse this 
group here, Linux could also be customarily pushing a series of changes 
... and forcing the NSA to live-update its internal microcode to keep up :)



iang

More information about the cryptography mailing list