[liberationtech] Random number generation being influenced - rumors

[Maxim Kammerer]

On Sat, Sep 7, 2013 at 8:24 AM, Andy Isaacson <adi at hexapodia.org> wrote:
> That's the claimed design, yes.  I see no particular reason to believe
> that the hardware in my server implements the design.  I can't even test
> that the AES whitening does what it is documented to do, because Intel
> refused to provide access to the prewhitened input.

I agree; I misread the Intel documentation previously, and inferred
that CTR_DRBG and other high-level algorithms are implemented in
microcode, with ES being accessible to it (and to reverse engineers)
directly. Personally, I wouldn't trust an embedded engineer to
implement bubble sort correctly, and see no reason to trust them with
security-critical implementations, even if one assumes no malice or
subversion of production process. In Google+ thread referenced above,
David Johnston (Intel engineer in charge of RDRAND) claimed that all
the specs are open and accessible; when I mentioned that the AES block
size in CTR_DRBG is not even specified, I received no response (of
course). Also, proponents of feeding RDRAND directly into
/dev/[u]random ignore the AES-reducibility of any cryptosystem that
uses RDRAND in that fashion.

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte