Forgot to add that the adversary would have to compromise not only Intel but also AMD CPUs. Not sure about ARM - but if it implements RDRAND then it must be compromised too, otherwise the enemy victory wouldn be incomplete. ;-) And think of the chips powering mobile devices...
Regards, Uri Sent from my iPhone > On Aug 21, 2017, at 20:06, Paul Dale <paul.d...@oracle.com> wrote: > > Uri wrote: >>> It might also use things like RDRAND / RDSEED which we don't trust. >> ... >> From cryptography point of view, it cannot hurt, but may help a lot > > There is a scenario where it does hurt: > https://www.lvh.io/posts/2013/10/thoughts-on-rdrand-in-linux.html > > This attack wouldn't be difficult to implement given all the out of order > execution and look ahead that CPUs do. It requires a compromised RDRAND > instruction changing the behaviour of a subsequent XOR into a copy. Not only > would it not be producing random bits but it would remove any randomness from > the bits you already have. > > > Pauli > -- > Oracle > Dr Paul Dale | Cryptographer | Network Security & Encryption > Phone +61 7 3031 7217 > Oracle Australia > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev