[Cryptography] Use of RDRAND in Haskell's TLS RNG?

Ray Dillinger bear at sonic.net
Sun Nov 27 14:03:42 EST 2016

On 11/22/2016 01:19 PM, dj at deadhat.com wrote:

> If you instead choose to get your random numbers from your OS, that gets
> those random numbers from RdRand, all the OS is doing is adding attack
> surface and reducing performance.

The OS has another job and it's very important:  Even if it were getting
its bits from RDRAND exclusively, it runs a whitener on the numbers
before it gives them back out, to make it harder for everybody - even
the vendor who produced that chip which we can't see into - to predict
or recognize the output.

I call that reducing attack surface, not adding it.  To the extent that
it reduces performance, I'm entirely happy with paying a few CPU cycles
to reduce the attack surface.

Remember, as far as I'm concerned, RDRAND output is only worth five bits
of vendor trust, no matter many bytes of RDRAND output there is.  I
require at minimum 256 bits of trust before I start producing keys.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161127/ff48c079/attachment.sig>

More information about the cryptography mailing list