virtualization as a threat to RNG

Hal Finney hal at
Wed Mar 21 19:03:58 EDT 2007

Dan Geer wrote:
> Quoting from a discussion of threat posed by software virtualization as 
> found in Symantec's ISTR:xi, released today:
> > The second type of threat that Symantec believes could emerge is 
> > related to the impact that softwarevirtualized computers may have on 
> > random number generators that are used inside guest operating systems 
> > on virtual machines....

There was related discussion a couple of months ago on the IRTF Crypto
Forum Research Group mailing list.  The question is what security problems
might arise with increased use of virtualization, in particular state
rollbacks causing reuse of nonces and other values that are required to
be unique.

Wei Dai summarized suggestions from the thread at:

: There have been several specific and practical suggestions, but they were
: spread over several messages in the discussion. I'll summarize here:
: 1. Use random IVs instead of counter or state-derived IVs.
: 2. For any crypto scheme that uses random numbers or IVs, generate the
: random numbers/IVs after the message to be encrypted and/or authenticated is
: fixed.
: 3. Use the operating system's secure RNG to generate these random
: numbers/IVs and hash in the current time and/or the message to make sure
: random numbers are not reused on different messages.
: 4. As an alternative to 1-3 above, switch to a crypto scheme such as SIV
: that is specifically designed to tolerate nonce reuse.

The thread index will allow reading more of the discussion at
under the title, "how to guard against VM rollbacks".

Hal Finney

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list