On Tue, Feb 01, 2000 at 09:00:33PM -0800, Dave Del Torto wrote:
> At 6:19 pm -0500 2000-01-26, Tom McCune wrote:
> >Just in case anyone else is interested in my findings on whether I could
> >use the Intel RNG with my Celeron machine:
> >I needed help to find the driver installation file at the Dell site
> >- I had searched for Intel RNG, but it can be found by searching for
> >Intel Security Driver. It can be used by Celeron machines, but not
> >mine: :-(
>
> Tom,
>
> If you're right, this could be a *feature* of your Celeron, not a bug.
>
> Persons who shall remain nameless shared some info with me (under
> privacy lock: I'm not prepared to discuss the details they provided
> in public without permission) about the Intel RNG and how it was
> presented for review by various software vendors. Coupled with my
> experience in my former corporate security job where we "reviewed"
> limited aspects of similar Intel technology, I'm now just about on
> the same wavelength as Bill Geiger at this point (though our styles
> differ significantly, I respect Bill's learnéd opinion).
> This is to say that:
>
> (A) I'm not sanguine about it being a "default" in any version of
> PGP, knowing what I do and having been told more by others,
> (B) I strongly encourage the PGP engineering group to include and
> explicit checkbook preference/option for disabling PGP's use
> of the Intel RNG completely into v7.0,
> (C) I'm troubled that Intel has not yet --even at this late date--
> provided comprehensive technical data on how the RNG works
> for public review and,
> (D) I'm extremely glad there doesn't appear to be one in my Mac or
> SparcStation, and my hand-built PC's have AMD K2/3's in 'em. ;)
[..]
I've also received Intel security info under NDA (and nothing in
this post will violate same). I do not think that your point D is
fair- even if the Intel RNG is totally and utterly compromised, it's
not a threat to your security just by being there on the chip.
Something has to call it and use it's output in a protocol.
I do agree with point B however.
Until Intel releases the design for the RNG, I would treat it the same
as any suspect source of entropy- assume that it can contain no
entropy. That means that you whiten its output before mixing it
together with your other entropy sources (some of which you beleive do
provide real entropy) to provide random numbers. If your entropy pool
mechanisim would still provide good random numbers if it got a constant
stream of zeros from the Intel RNG, then there's no harm that a
compromised Intel RNG could do to your protocol.
Don't use the Intel RNGs results directly in your protocols!
Heck, I don't even do that for h/w RNGs I _do_ know the design of.
Intel's refusal to publish info on their RNG could be because it's
compromised, or because their security people (some of whom are ex-
government) think that there is value to secrecy, or from some misguided
"trade secret" intellectual property reason (RNGs being patentable and
worth some money). Unfortunately none of those reasons are all that
great.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
