[Cryptography] Use of RDRAND in Haskell's TLS RNG?

Bill Cox waywardgeek at gmail.com
Mon Nov 28 06:19:14 EST 2016

On Sat, Nov 26, 2016 at 4:06 AM, Watson Ladd <watsonbladd at gmail.com> wrote:

> Have you looked at the RDRAND circuit and the on-chip power
> distribution network? Your claimed "simple power droop attack" depends
> on the output impedance of the power supply and the variance in the
> current consumption caused by your instructions. Both are potentially
> knowable: did you do the work to know them? Then you have to explain
> how your "simple" attack avoids the on chip health checks.

Yes I looked at the simplified circuit diagram they published, made guesses
as to the missing details (W/L, etc), and simulated it in various
conditions.  The raw DRNG is _very_ power supply sensitive, counter to
Intel claims.

The output impedance of the power supply generally is not an issue in this
sort of attack.  The power droop on the internal rails happens on the order
of nanoseconds.  The package impedance is generally far to high for the
off-chip caps to have any impact on the attack.  More than likely, all that
matters is local capacitance on the power mesh, and the coupling between
the devices drawing power and the target device.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161128/3990d958/attachment.html>

More information about the cryptography mailing list