[Cryptography] Use of RDRAND in Haskell's TLS RNG?
Mark Steward
marksteward at gmail.com
Sat Nov 26 08:04:18 EST 2016
Links below taken from
https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide
Here's a diagram which shows what we're offered:
https://software.intel.com/sites/default/files/managed/49/ec/DRNG_img02.jpg
Arnold is saying that if we had access to the output of "Hardware Entropy
Source" it might be possible to verify the quality of that data, and to get
confidence that the intervening steps aren't subverted by default. As it
is, we have a black box, and there's nothing that prevents some secret
trigger wiring the DRBG input to a counter.
The black box does its own testing which is exposed by the carry flag:
https://software.intel.com/sites/default/files/managed/15/85/DRNG_img04.jpg
The "Online Entropy Health Tests" have a 256*256bit buffer of entropy,
which is used to sanity check the input and return an error, but which
isn't exposed outside of test processors. This also means the DRNG will by
design fail and return 0 for an uncontrollable subset of inputs.
There's some more detail in
http://www.rambus.com/wp-content/uploads/2015/08/Intel_TRNG_Report_20120312.pdf
(search for "mostly stuck at 1" for an interesting point).
Mark
On Sat, Nov 26, 2016 at 5:41 AM, Viktor Dukhovni <cryptography at dukhovni.org>
wrote:
>
> > On Nov 25, 2016, at 3:55 PM, Arnold Reinhold <agr at me.com> wrote:
> >
> > In addition the need for a proper published audit that bear suggested,
> the most glaring defect in the Intel design is the lack of access to the
> un-whitened random bits. Adding a mode that bypassed the whitener would
> have been simple. Statistical analysis of the raw bit stream can provide
> ongoing assurance that the RNG is doing what it says. Likely there will be
> correlations between raw bit statistics and external parameters such as
> chip temperature and supply voltage. Of course it is possible for a
> deterministic generator to mimic such variations, but it would have to have
> a relatively large footprint on the die compared to simply using the
> whitener in a feedback mode or similar mischief.
>
> It seems you're hinting at:
>
> https://software.intel.com/en-us/blogs/2012/11/17/the-
> difference-between-rdrand-and-rdseed
> https://en.wikipedia.org/wiki/RdRand
>
> RDSEED first appears in Broadwell CPUs, while RDRAND appears earlier in
> Ivy Bridge.
>
> --
> Viktor.
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161126/d1dc0946/attachment.html>
More information about the cryptography
mailing list