On Mon, 9 Sep 2013 23:29:52 -0400 John Kelsey <crypto....@gmail.com> wrote: > On Sep 9, 2013, at 6:32 PM, "Perry E. Metzger" <pe...@piermont.com> > wrote: > > > First, David, thank you for participating in this discussion. > > > > To orient people, we're talking about whether Intel's on-chip > > hardware RNGs should allow programmers access to the raw HRNG > > output, both for validation purposes to make sure the whole > > system is working correctly, and if they would prefer to do their > > own whitening and stretching of the output. > > Giving raw access to the noise source outputs lets you test the > source from the outside, and there is alot to be said for it. But > I am not sure how much it helps against tampered chips. If I can > tamper with the noise source in hardware to make it predictable, it > seems like I should also be able to make it simulate the expected > behavior.
Sure, but that might be visible in chip teardowns, which would see an unexpected circuit, while an analog defect in the dual inverter circuit Intel is using (or was using, I haven't looked in a while) that biased the output might be quite subtle and very difficult to find even then. People forget that you can, in fact, tear down chips. Though I will not claim it can be done with anything like the the ease with which people reverse engineer software, the tools are available at many research universities these days, and more and more people are doing it. The part that could get hairy, of course, is that there's an ocean of circuitry on a modern high end processor, and given that this is being handled by an instruction, there's an awful lot of ways it could be gimmicked even if the "correct" circuit was there and seemed to work as advertised. Fully analyzing the situation might take real funding. Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
