[Cryptography] Use of RDRAND in Haskell's TLS RNG?

John Gilmore gnu at toad.com
Mon Nov 21 02:12:57 EST 2016

> Anyone else care to comment on the wisdom or folly of RDRAND as a
> principal (sole) seeding mechanism for a TLS stack?


The beauty of allegedly-random numbers is that you can, and should,
xor them with OTHER independent allegedly-random numbers to produce
something that is no weaker than the strongest of them.

So if you trust RDRAND and somebody else trusts interrupt timing,
mash the two together and you can both trust the result.

And if somebody someday violates your trust in RDRAND, either with a
microcode patch, a virtual machine override, or by having subverted
the chip design years ago, the bastards will also have to predict or
subvert the interrupt timing in order to reduce their search space
enough to break your TLS.


PS:  Isn't Haskell a portable language?  There are plenty of systems
that run on systems other than modern x86 chips.  How could it depend
on RDRAND and remain portable?

More information about the cryptography mailing list