[Cryptography] [cryptography] Random number generation influenced, HW RNG

Eric Young eay at pobox.com
Tue Sep 10 06:58:20 EDT 2013

On Sun, 2013-09-08 at 13:27 +0200, Eugen Leitl wrote:
> ----- Forwarded message from "James A. Donald" <jamesd at echeque.com> -----
> On 2013-09-08 3:48 AM, David Johnston wrote:
> > Claiming the NSA colluded with intel to backdoor RdRand is also to
> > accuse me personally of having colluded with the NSA in producing a
> > subverted design. I did not.
> Well, since you personally did this, would you care to explain the
> very strange design decision to whiten the numbers on chip, and not
> provide direct access to the raw unwhitened output.
> A decision that even assuming the utmost virtue on the part of the
> designers, leaves open the possibility of malfunctions going
> undetected.

I may have missed this part of the thread, but I'm interested in knowing
the rational for letting the hyper-visor intercept the RDRAND call and
return any value it likes, bypassing the random hardware.

I've had one person speculate it would be useful for keeping 2 CPUs in
sync, (the TSC can also be intercepted), but it does worry me that
RDRAND calls can be rendered predictable by a compromised VM.


For those interested,
Intel document 325462.pdf, "Intel® 64 and IA-32 Architectures Software
Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C"
Page 'Vol. 3C 27-23', Table 27-12. Format of the VM-Exit
Instruction-Information Field as Used for RDRAND

More information about the cryptography mailing list