[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cryptography] Random number generation influenced, HW RNG

To: [email protected], [email protected], [email protected]
Subject: [cryptography] Random number generation influenced, HW RNG
From: [email protected] (Eugen Leitl)
Date: Mon, 9 Sep 2013 10:26:15 +0200

----- Forwarded message from "James A. Donald" <[email protected]> -----

Date: Mon, 09 Sep 2013 07:25:11 +1000
From: "James A. Donald" <[email protected]>
To: Thor Lancelot Simon <[email protected]>
Cc: [email protected]
Subject: Re: [cryptography] Random number generation influenced, HW RNG
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
Reply-To: [email protected]

On 2013-09-09 1:54 AM, Thor Lancelot Simon wrote:
> On Sun, Sep 08, 2013 at 03:00:39PM +1000, James A. Donald wrote:
>> On 2013-09-08 1:25 PM, Thor Lancelot Simon wrote:
>>> On Sun, Sep 08, 2013 at 08:34:53AM +1000, James A. Donald wrote:
>>>> Well, since you personally did this, would you care to explain the
>>>> very strange design decision to whiten the numbers on chip, and not
>>>> provide direct access to the raw unwhitened output.
>>> You know as soon as anyone complained about this, they turned around
>>> and provided access to the unwhitened output in the next major version
>>> of the same product family, right?
>> I am not aware of this.  Could you provide further details?
> http://software.intel.com/en-us/blogs/2012/11/17/the-difference-between-rdrand-and-rdseed

RDSEED provides the output of the /enhanced/ non-deterministic random
number generator (ENRNG

Which is "enhanced" by being whitened.

And therefore makes it just as impossible to tell if the supposed
randomness is backdoored as RDRAND does.

What we need is the output of the entropy source.

Supposedly we have a circuit that generates fairly random offwhite
noise. (The entropy source) This is then AES encrypted (the enhanced
non deterministic number generator), and the enhanced non
deterministic random number generator then continuously seeds a pseudo
random number generator, which provides the output of RDRAND

To tell if there is a backdoor or not, we need the output of the
entropy source, unenhanced.

If the entropy source is real, it will show its analog characteristics
leaking into the digital abstraction.  The correlations and anti
correlations between nearby bits will reflect the analog values of the
circuit, thus no two chips will show quite the same correlations, and
the correlations will vary with temperature and overclocking.  These
analog variations would be compelling evidence that the entropy source
is the something very like the claimed circuit.

Because RDSEED gives us the encrypted output of the entropy source, we
cannot tell if the entropy source is a real entropy source, or a
counter encrypted with the NSA's secret key.

Since the whitening is deterministic, it is potentially reversible,
but Intel does not appear to be releasing sufficient information to
reverse it.

_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

Prev by Date: [Cryptography] Techniques for malevolent crypto hardware (Re: Suite B after today's news)
Next by Date: Quark : A Web Browser with a Formally Verified Kernel
Previous by thread: [cryptography] Random number generation influenced, HW RNG
Next by thread: [Cryptography] Bruce Schneier calls for independent prosecutor to investigate NSA
Index(es):
- Date
- Thread