On Mon, Jul 12, 2010 at 12:22:51PM -0400, Perry E. Metzger wrote: > BTW, let me note that if Intel wanted to gimmick their chips to make > them untrustworthy, there is very little you could do about it. The > literature makes it clear at this point that short of carefully > tearing apart and analyzing the entire chip, you're not going to catch > subtle behavioral changes designed to allow attackers backdoor > access. Given that, I see little reason not to trust them on an RNG, > and I wish they would make it a standard part of the architecture > already.
I think it's important to make the distinction between trusting Intel not to have made it actively malicious, and trusting them to have gotten it perfectly correct in such a way that it cannot fail. Fortunately, the second problem, that it is a well-intentioned but perhaps slightly flawed RNG [*], could be easily alleviated by feeding the output into a software CSPRNG (X9.31, a FIPS 186-3 design, take your pick I guess). And the first could be solved by also feeding your CSPRNG with anything that you would have fed it with in the absense of the hardware RNG - in that case, you're at least no worse off than you were before. (Unless your PRNG's security can be negatively affected by non-random or maliciously chosen inputs, in which case you've got larger problems). -Jack [*] Even if it were perfectly designed, it seems plausible to me that manufacturing defects and/or any number of runtime problems (age, overheating, bad voltage control, cosmic rays, dirty power, etc, etc) might cause subtle failures/biases that might be difficult to detect reliably; I would personally be dubious of using any hardware RNGs output directly for this reason. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com