At 9:00 PM +0000 2/2/2000, lcs Mixmaster Remailer wrote:
>It may not have been mentioned here, but Intel has
>released the programmer interface specs to their RNG, at
>http://developer.intel.com/design/chipsets/manuals/298029.pdf.
>Nothing prevents the device from being used in Linux /dev/random now.
>
>As for the concerns about back doors, the best reference on
>the design of the RNG remains cryptography.com's analysis at
>http://www.cryptography.com/intelRNG.pdf. Paul Kocher and his team
>concluded that the chip was well designed and that the random numbers were
>of good quality. (Note, BTW that the RNG is extremely small, crammed
>into the margins of the device. An RNG which produced undetectably
>backdoored random date would probably be an order of magnitude larger.)
I respect Paul, but there is a matter of principle here. Crypto is
hard enough without having to rely on trusted experts to verify what
should simply be made public. The business case for Intel's RNG
secrecy is weak at best. I want to make it weaker. As for the RNG
being crammed in, who knows what will happen in future chips?
>
>Even if Intel wanted to put in a back door, it would be very difficult
>to exploit it successfully. There is no way for the chip to predict how
>any given random bit will be used: it may go into a session key directly,
>it may be hashed through some kind of mixing function along with other
>sources of randomness, it may seed a PRNG which is then used to find
>RSA primes. There are a multitude of different possibilities and it
>would be hard in general to design an effective backdoor without knowing
>how the output will be used.
I don't agree. All that is needed is for the backdoored RNG to
produce an output stream that is determined by some state with a
relatively small number of bits. Then an otherwise infeasible search
strategy would become feasible. An attacker would still have to know
how the program-under-attack used the RNG output, but we do not rely
on software obscurity. (Of course if the RNG output is first mixed
with another source of high entropy randomness then there is no added
vulnerability. I am positing that, over time, vendors who use the
Intel RNG will neglect this step.)
>
>And as pointed out before, this level of paranoia is ultimately self
>defeating, as Intel could just as easily put back doors into its CPU.
>Unless or until you are willing to use a self-designed and self-fabbed
>CPU, you are fundamentally at the mercy of the hardware manufacturer.
CPU back doors are a different risk and are more subject to your
first criticism than the RNG. Weak random number generation is a
vulnerability common to almost all crypto systems. We should not
lower standards in one area because there are risks in other areas.
To paraphrase the Strategic Air command, "paranoia is our profession."
Arnold Reinhold
