On Wed, 2 Feb 2000, Martin Minow wrote:
> > http://www.cryptography.com/intelRNG.pdf.
>
> The one problem I have with the RNG, based on my reading of the
> analysis, is that programmers cannot access the "raw" bitstream,
> only the stream after the "digital post-processing" that converts
> the bitstream into a stream of balanced 1 and 0 bits.
Why do you want this? The post-processing is a simple Von Neumann bias
remover that looks for 0-1 and 1-0 transitions (actually slightly more
complex, looking at triplets of bits rather than pairs, but the same
idea). The benefit you would gain from being able to see this biased
data must be balanced against the harm that will result from some people
accidentally using it in the belief that it is secure.
Bram replied:
> It not only does that, it hashes the thing using sha-1. For all we know,
> the thing might be producing unacceptably small amounts of entropy for
> crypto purposes but large enough amounts that it hardly ever repeats.
No, it doesn't. The Intel software library does that, but
if you use the spec referenced earlier to access the chip,
http://developer.intel.com/design/chipsets/manuals/298029.pdf, there is
no SHA hash involved. Hashing or otherwise munging the output before
use is probably still a good idea, though.
> The work on the studying the output of Intel's RNG has only had accessed
> to the post-processed output, plus I believe a file directly from Intel
> which was claimed to be unprocessed output. Yeah ... right.
The post-processed output was processed via the Von Neumann bias remover,
and that's the way the data comes off the chip. It is entirely appropriate
to analyze such output in looking at the quality of the randomness
produced by the chip. Paul Kocher is not such an idiot as to try to
analyze the output of a SHA-1 whitener for quality of randomness.
> If Intel wants people to trust them, they should quit acting like they're
> coving for bad engineering.
So, what would satisfy you? Kocher has published the theory of the
device, but that's not good enough. What more do you need? Circuit
diagrams? Device masks? Even those could be faked. Don't you need
an observer standing at the Intel fab plant, empowered to take his own
samples of the chips and subject them to analysis? Or, better, a team of
observers sitting in on all Intel engineering and management meetings to
make sure they don't do anything untrustworthy?
Short of this level of monitoring, it is impossible to be sure that the
chip in your computer is free of backdoors (and even then you have to
worry about somebody sneaking into your house and swapping CPU boards on
you). Face it: no matter what they do, people are going to bitch, just
like they do at every other crypto or security company in the industry.
There's no satisfying some people.
Intel has gone to great lengths, they have made the design available to
some of the best minds in the fields for scrutiny, and it has passed with
flying colors. For months people complained about the lack of access to
the hardware, and now they've even opened that up as well (as predicted
here, BTW). If you really want more, you should say exactly what would
make you happy. Get a consensus on that from security professionals
and you might get what you want.
