At 6:19 pm -0500 2000-01-26, Tom McCune wrote:
>Just in case anyone else is interested in my findings on whether I could
>use the Intel RNG with my Celeron machine:
>I needed help to find the driver installation file at the Dell site
>- I had searched for Intel RNG, but it can be found by searching for
>Intel Security Driver. It can be used by Celeron machines, but not
>mine: :-(
Tom,
If you're right, this could be a *feature* of your Celeron, not a bug.
Persons who shall remain nameless shared some info with me (under
privacy lock: I'm not prepared to discuss the details they provided
in public without permission) about the Intel RNG and how it was
presented for review by various software vendors. Coupled with my
experience in my former corporate security job where we "reviewed"
limited aspects of similar Intel technology, I'm now just about on
the same wavelength as Bill Geiger at this point (though our styles
differ significantly, I respect Bill's learnéd opinion).
This is to say that:
(A) I'm not sanguine about it being a "default" in any version of
PGP, knowing what I do and having been told more by others,
(B) I strongly encourage the PGP engineering group to include and
explicit checkbook preference/option for disabling PGP's use
of the Intel RNG completely into v7.0,
(C) I'm troubled that Intel has not yet --even at this late date--
provided comprehensive technical data on how the RNG works
for public review and,
(D) I'm extremely glad there doesn't appear to be one in my Mac or
SparcStation, and my hand-built PC's have AMD K2/3's in 'em. ;)
I'm definitely NOT out to scare anyone or start any silly rumors, so
if anyone on this list is unclear about why this COULD BE a very
serious security threat situation, FIRST, I recommend that you not
comment on the situation off of this list (i.e. starting uninformed
rumors on Usenet or elsewhere) unless you're a mathematician or
security professional who knows something about random number
generation and SECOND that you be aware of the following: ALL of the
strength of your cryptographic security is based primarily on RNGs
(Random Number Generators) and their ability to generate
cryptographically-random seed values for everything from public
keypair generation (your identity and security) to session key
generation (each message's cryptographic randomness).
Left on it's own, PGP's software PseudoRNG has been studied
extensively, and while it's not *perfect* the community knows it's
flaws, considers them manageable, and has compensated for them
adequately to date.
Also, I'm NOT saying that the following is the status quo, but a
cautious person's analysis of hypothetical situations where the
unknown Intel RNG could be a security threat might go something like
this:
IF 1+2+3+4=TRUE, where:
(1) a large security software vendor were pressured at the executive
level and unknown to the engineering staff,
(2) (directly or indirectly) by government officials in charge of
message interception,
(3) to incorporate a piece of hardware, designed in secret and kept
proprietary, that generated flawed randomness and thus provides
traction for cryptanalytic attacks
(4) even on large keysizes now allowed for export under current
regulations and thought (mistakenly?) by the security community
to be reasonably secure...
THEN:
A product from that vendor using that hardware RNG cannot truly be
considered secure against the most sophisticated attacker.
The solution would be for Intel to fully divulge precisely how it's
RNG works, not only to vendors like the hypothetical one above, but
to the entire Internet community. If it turns out that it's a really
great RNG, then we can all rest more easily. If it turns out that it
produces non-random strings that compromise keys and messages (and
adds processor-unique id strings and timestamps ;), then all PGP
users have the right to know about it immediately and eschew use of
Intel products that incorporate that RNG.
Several good questions remain unanswered: why has Intel not revealed
how this RNG works to the world? Why has Intel not at least
completely divulged the internal functions to the PGP engineering
team (who I'd trust a lot more than Intel, since they have good
engineers on staff who still *have* a reputation for integrity to
protect). What exactly are they protecting themselves from, or what
pressures are they under from external entities to provide an
intentionally-flawed security product to benefit the spy agencies,
a la the infamous Walsh Report?
(c.f. <http://www.efa.org.au/Issues/Crypto/Walsh/index.htm>.)
Keep in mind that the vendors themselves may be unwitting victims of
Intel's (forced?) collaboration with unknown agencies.
Note also that OpenPGP would *never* incorporate RNG input from a
proprietary device as a "MUST" in any draft or RFC. NAI's PGP is not
currently fully OpenPGP-compliant in this regard, though it's
functionally interoperable with OpenPGP implementations (e.g. GnuPG).
I realize that NDAs may prevent certain public discussions from
occurring (one reason I hate them in the security architecture
field), but I nevertheless encourage the people at various vendors,
who have released products that can or do use the Intel RNG, to step
forward and discuss their findings and feelings about the Intel RNG
with the community of users and customers who rely on their products
for security and/or authentication. I encourage them to do so before
any nasty revelations thoroughly discredit Intel's RNG and pull
everyone who trusted it down with Intel in yet another complacency
fiasco that might permanently damages the reputations of otherwise
quality engineers.
BTW, I strongly advise against any kind of hysteria or name-calling
in this thread: let's approach this professionally and calmly and
encourage the folks involved to so the Right Thing as soon as they
are able to. The only things we all have to fear here is continued
silence...
Sure would be interesting to hear from Intel... if they have someone
monitoring these lists.
{distant sound of wrench falling at the other end of a long, echoey hall}
dave
_____________________________________________________
"To a cryptographer, 'unknown' equals 'not secure.'"
