On Sat, Sep 7, 2013 at 8:24 AM, Andy Isaacson <[email protected]> wrote: > That's the claimed design, yes. I see no particular reason to believe > that the hardware in my server implements the design. I can't even test > that the AES whitening does what it is documented to do, because Intel > refused to provide access to the prewhitened input.
I agree; I misread the Intel documentation previously, and inferred that CTR_DRBG and other high-level algorithms are implemented in microcode, with ES being accessible to it (and to reverse engineers) directly. Personally, I wouldn't trust an embedded engineer to implement bubble sort correctly, and see no reason to trust them with security-critical implementations, even if one assumes no malice or subversion of production process. In Google+ thread referenced above, David Johnston (Intel engineer in charge of RDRAND) claimed that all the specs are open and accessible; when I mentioned that the AES block size in CTR_DRBG is not even specified, I received no response (of course). Also, proponents of feeding RDRAND directly into /dev/[u]random ignore the AES-reducibility of any cryptosystem that uses RDRAND in that fashion. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
