On 13 July 2013 03:20, Peter Gutmann <[email protected]> wrote: > Nico Williams <[email protected]> writes: > >>I'd like to understand what attacks NSA and friends could mount, with Intel's >>witting or unwitting cooperation, particularly what attacks that *wouldn't* >>put civilian (and military!) infrastructure at risk should details of a >>backdoor leak to the public, or *worse*, be stolen by an antagonist. > > Right. How exactly would you backdoor an RNG so (a) it could be effectively > used by the NSA when they needed it (e.g. to recover Tor keys), (b) not affect > the security of massive amounts of infrastructure, and (c) be so totally > undetectable that there'd be no risk of it causing a s**tstorm that makes the > $0.5B FDIV bug seem like small change (not to mention the legal issues, since > this one would have been inserted deliberately, so we're probably talking bet- > the-company amounts of liability there). > >>I'm *not* saying that my wishing is an argument for trusting Intel's RNG -- >>I'm sincerely trying to understand what attacks could conceivably be mounted >>through a suitably modified RDRAND with low systemic risk. > > Being careful is one thing, being needlessly paranoid is quite another. There > are vast numbers of issues that crypto/security software needs to worry about > before getting down to "has Intel backdoored their RNG".
But what's the argument for _not_ mixing their probably-not-backdoored RNG with other entropy? _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
