[liberationtech] Random number generation being influenced - rumors
Eugen Leitl
eugen at leitl.org
Sat Sep 7 10:26:09 PDT 2013
On Sat, Sep 07, 2013 at 06:21:00PM +0300, Maxim Kammerer wrote:
> I agree; I misread the Intel documentation previously, and inferred
> that CTR_DRBG and other high-level algorithms are implemented in
> microcode, with ES being accessible to it (and to reverse engineers)
> directly. Personally, I wouldn't trust an embedded engineer to
> implement bubble sort correctly, and see no reason to trust them with
> security-critical implementations, even if one assumes no malice or
There is a hardware RNG in the AMD Geode LX. I tried very hard to
find any documentation, but found effectively nothing.
Am I that bad at searching, or this really a black box?
> subversion of production process. In Google+ thread referenced above,
> David Johnston (Intel engineer in charge of RDRAND) claimed that all
> the specs are open and accessible; when I mentioned that the AES block
> size in CTR_DRBG is not even specified, I received no response (of
> course). Also, proponents of feeding RDRAND directly into
> /dev/[u]random ignore the AES-reducibility of any cryptosystem that
> uses RDRAND in that fashion.
More information about the liberationtech
mailing list