Re: use of RDRAND in $random_library

To: Martijn van Oosterhout <kleptog@gmail.com>
Cc: Gunnar Wolf <gwolf@gwolf.org>, Russ Allbery <rra@debian.org>, Debian Developers <debian-devel@lists.debian.org>
Subject: Re: use of RDRAND in $random_library
From: Theodore Ts'o <tytso@mit.edu>
Date: Fri, 13 Jun 2014 10:04:44 -0400
Message-id: <[🔎] 20140613140444.GA19551@thunk.org>
In-reply-to: <[🔎] CADWG95tikoQQZ0yhzPgV=4NMQsg+makJqzgF=xH8tcfKGwOP6Q@mail.gmail.com>
References: <[🔎] 20140613015610.GA7986@thin> <[🔎] 871tuty313.fsf@windlord.stanford.edu> <[🔎] 20140613042708.GA17057@gwolf.org> <[🔎] CADWG95tikoQQZ0yhzPgV=4NMQsg+makJqzgF=xH8tcfKGwOP6Q@mail.gmail.com>

On Fri, Jun 13, 2014 at 10:09:02AM +0200, Martijn van Oosterhout wrote:
> > Excuse me if I'm blunt here, but I understand that, on the point of
> > using entropy to seed a PRNG, if you have several shitty entropy
> > sources and one _really_ good one, and you xor them all together, the
> > resulting output is as random as the best of them. If your hardware
> > entropy source is faulted and produces just an endless stream of
> > '001001001001001001', xoring it with a valid Golomb sequence will give
> > you something even more random than a Golomb sequence.
> >
> The proof that XORing streams can't reduce the entropy relies on the
> sources being independant. I think the issue here is we don't know if
> RDRAND is independent or not. That said, doing a SHA256 over the output
> should be sufficient (assuming the CPU doesn't see you're doing a hash and
> short circuits it).

Basically, the question is how blatently do you think the NSA could
bugger the CPU.  If you believe they can completely bugger the CPU, so
they can detect that you are implementing some explicit crypto
instruction, and change its behaviour, or they can peek ahead in the
instruction pipeline, notice an XOR, determine that one of its inputs
is an RDRAND instruction, and the other inputs come from a read of
/dev/urandom, and then modify the behaviour of the XOR, all in such a
way that the hundreds or thousands of Intel employees that need to
improve, test, debug, etc. the CPU instruction execution engine
wouldn't notice, then you might as well give up now and start
implementing your own CPU from transitors, capictors, resistors, and
wires.

While I am willing to believe they might be able to secretly subvert
or bribe Intel to subvert the RDRAND engine, in some way which no
other or very few other employees at Intel would detect, to believe
they could then do so with the entire CPU is MUCH harder to believe.

There are probably much easier things to do, such as subverting
someone in Red Hat's release engineering department, for example.  A
buggered kernel is easier to accomplish, and much harder to detect.
This is one of the reasons why implementing reproducible binary builds
is a realy good idea from a security perspective.  This allows you to
spot check that various binaries correspond to the sources that they
claim to be form.

Cheers,

						- Ted

Reply to:

Follow-Ups:
- Re: use of RDRAND in $random_library
  - From: Jacob Appelbaum <jacob@appelbaum.net>

References:
- Re: Re: use of RDRAND in $random_library
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: use of RDRAND in $random_library
  - From: Russ Allbery <rra@debian.org>
- Re: use of RDRAND in $random_library
  - From: Gunnar Wolf <gwolf@gwolf.org>
- Re: use of RDRAND in $random_library
  - From: Martijn van Oosterhout <kleptog@gmail.com>

Prev by Date: Re: use of RDRAND in $random_library
Next by Date: Bug#751509: ITP: icinga2 -- host and network monitoring system
Previous by thread: Re: use of RDRAND in $random_library
Next by thread: Re: use of RDRAND in $random_library
Index(es):
- Date
- Thread