[Cryptography] Fwd: [IP] 'We cannot trust' Intel and Via's chip-based crypto, FreeBSD developers say
Roland C. Dowdeswell
elric at imrryr.org
Tue Dec 17 07:26:00 EST 2013
On Sat, Dec 14, 2013 at 04:54:05PM +0300, ianG wrote:
>
> The RDRAND instruction I'd say is the low hanging fruit, because it
> is called rarely and for precise purposes. Inside that instruction,
> check whether there is a XOR coming up, of the output of RDRAND and
> some other X. Likely, that value X is already calculated, sitting
> in a register somewhere. Do some pre-XOR magic with that X, and the
> RDRAND output, and the secret sauce.
It's probably sufficient to just have RDRAND output a predictable
value XORed with all of the registers. Given that the only
unpredictable value in any of the registers is going to be the
output of the OS RNG, this would likely be enough. No need to
check if there's an upcoming XOR, the worst case is that the
scheme doesn't work.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the cryptography
mailing list