[Cryptography] [cryptography] Random number generation influenced, HW RNG
dj at deadhat.com
Mon Sep 9 00:40:34 EDT 2013
On 9/8/2013 4:27 AM, Eugen Leitl wrote:
> ----- Forwarded message from "James A. Donald" <jamesd at echeque.com> -----
> Date: Sun, 08 Sep 2013 08:34:53 +1000
> From: "James A. Donald" <jamesd at echeque.com>
> To: cryptography at randombit.net
> Subject: Re: [cryptography] Random number generation influenced, HW RNG
> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
> Reply-To: jamesd at echeque.com
> On 2013-09-08 3:48 AM, David Johnston wrote:
>> Claiming the NSA colluded with intel to backdoor RdRand is also to
>> accuse me personally of having colluded with the NSA in producing a
>> subverted design. I did not.
> Well, since you personally did this, would you care to explain the
> very strange design decision to whiten the numbers on chip, and not
> provide direct access to the raw unwhitened output.
#1 So that that state remains secret from things trying to discern that
state for purposes of predicting past or future outputs of the DRBG.
#2 So that one thread cannot undermine a second thread by putting the
DRNG into a broken mode. There is only one DRNG, not one per core or one
per thread. Having one DRNG per thread would be one of the many
preconditions necessary before this could be contemplated.
#3 Any method of access is going have to be documented and supported and
maintained as a constant interface across many generations of chip. We
don't throw that sort of thing into the PC architecture without a good
#4 Obviously there are debug modes to access raw entropy source
output. The privilege required to access those modes is the same debug
access necessary to undermine the security of the system. This only
happens in very controlled circumstances.
> A decision that even assuming the utmost virtue on the part of the
> designers, leaves open the possibility of malfunctions going
That's what BIST is for. It's a FIPS and SP800-90 requirement.
> That is a question a great many people have asked, and we have not
> received any answers.
Yes they have. I've answered this same question multiple times.
> Access to the raw output would have made it possible to determine that
> the random numbers were in fact generated by the physical process
> described, since it is hard and would cost a lot of silicon to
> simulate the various subtle offwhite characteristics of a well
> described actual physical process.
Access to the raw output would have been a massive can of worms. The
statistical properties of the entropy source are easy to model and easy
to test online in hardware. They are described in the CRI paper if you
want to read them. That's a necessary part of a good entropy source. If
you can't build an effective online test in hardware then the entropy
source is not fit for purpose.
More information about the cryptography