[Cryptography] Fwd: [IP] 'We cannot trust' Intel and Via's chip-based crypto, FreeBSD developers say

John Kelsey crypto.jmk at gmail.com
Mon Dec 16 12:52:15 EST 2013


On Dec 13, 2013, at 2:02 PM, Nico Williams <nico at cryptonector.com> wrote:

> On Fri, Dec 13, 2013 at 01:24:21PM -0500, John Kelsey wrote:
>> Why not just XOR RD_RAND outputs with Yarrow outputs?  That guarantees
>> strong results if either one is good.
> 
> Yes, to reprise the /dev/*random robustness thread, we need as many
> inputs to the CSPRNG as possible.  Heck, even a constant seed and a seed
> saved from the previous boot.  As long as the PRNG is cryptographically
> secure and at least one source of boot-time (and subsequent) entropy is
> predictable by would-be attackers, this should be good enough.

It's interesting to ask where the biggest risks are here.  My intuition is that the OS RNGs are often not all that secure, especially soon after boot.  So my first recommendation would be to draw 256 or so bits from RD_RAND and feed them into the OS RNG, with zero assessed entropy.  That gets the OS RNG to a strong state right away if RD_RAND isn't weak.  (Even some ways it could be weak would be masked by using it this way.)  That all by itself would get you to a secure system if the Intel RNG is good.  

You can then XOR the RD_RAND outputs into the RNG outputs to get (if the Intel RNG is as good as it claims) something close to full entropy outputs.  So long as the RD_RAND outputs aren't somehow predicting the OS RNG outputs, this can only improve the security of the OS RNG outputs.  

There are obviously many other perfectly fine ways to use them together--for example, initializing a good DRBG with the OS's entropy, and then reseeding it before every output with bits from RD_RAND.  Or initializing a DRBG with RD_RAND and sending in 256 bits of additional input from the OS RNG after it starts working.  

My sense is that the Intel RNG is almost certainly a huge improvement in security.  It's certainly smart to think about how to use it that doesn't fall apart if the RNG is broken somehow, but it's also smart to realize that what we have now apparently isn't all that great!

--John


More information about the cryptography mailing list