Lucky Green writes:
> Your post is the third or forth post I have seen in the last year that
> claims that Paul concluded that Intel's RNG outputs strong random numbers.
Such as when they said (http://www.cryptography.com/intelRNG.pdf):
Cryptographically, we believe that the Intel RNG is strong and that
it is unlikely that any computationally feasible test will be found
to distinguish data produced by Intel's RNG library from output from
a perfect RNG. As a result, we believe that the RNG is by far the most
reliable source of secure random data available in the PC.
Right, it would be a real stretch from this to claim that Paul concluded
that Intel's RNG outputs strong random numbers.
> Paul and Ben did not draw any conclusions about the quality of the random
> numbers generated Intel's RNG as fielded. Nor could they have drawn such
> conclusions, since neither was given an opportunity to analyze known (to
> them) unwhitened output of the RNG. Which the carefully mention in their
> paper. You may wish to read Section 4 of the document you cited more
> carefully.
It is true that the analysis relied ultimately on information supplied by
Intel, not just for the random data, but for the architecture of the RNG
as well. Obviously Jun and Kocher did not put a device under an electron
microscope or start etching off layers. So sure, Intel could have lied
through their teeth, lied about everything, presented a strong design
producing good data, then put in something completely different. Or even
if they'd supplied a chip sample and the researchers had independently
verified the mask and data, Intel could have changed the design for the
shipping parts.
But Intel could easily get caught in such a fraud, and imagine the fallout
if this happened. These parts are in systems now, and Kocher could in
theory take one out and compare it with the design information he got
from Intel. If there's a SHA-1 hash on that chip as some have proposed,
it would stand out like a sore thumb.
And attempts by Intel to present fake random data would have been
even more foolish. Everyone who's got a chip now can catch them.
They've published exactly what you need to do to get data from the chip.
It takes two lines of code to pull out a byte. Kocher, you, I, or anyone
else can grab data from this chip and run exactly the same statistical
tests described in his report. If the chip is producing crappy random
numbers, people will know.
Paranoids will never be satisfied, short of nationalizing the security
industry and putting them in charge (and even then they'd soon stop
trusting one another). The bottom line is, as Kocher says, the Intel
RNG is BY FAR the best source of secure random data available in the PC.
Previously the paranoids pointed to the lack of information on accessing
the chip hardware as evidence of a cover-up. Now that obstacle has been
removed, and they fall back on muttering about fake data. Note that
no thanks have been offered to Intel for releasing the spec, clearly
a step taken in order to facilitate open source development (drivers
already existed for Windows). Apparently gratitude is too much to ask
from the open source security community.
It's time to put these ravings aside, and work to incorporate this RNG
as a source for Linux /dev/random. The Linux IPSEC developers need it
badly, for stand-alone servers which have to generate new session keys at
a high rate. What they have now sucks, and they know it. By providing
a high volume source of good randomness, the Intel RNG will tremendously
improve the security of network communications.
