On 1/14/19 7:07 AM, Thomas Goirand wrote:
On 12/18/18 8:11 PM, Theodore Y. Ts'o wrote:If you are firmly convinced that there is a good chance that the NSA has suborned Intel in putting a backdoor into RDRAND, you won't want to use that boot option.I have read numerous times that some people trust this or that part of the instruction set, and I always found it silly. Why should some instruction or part of the Intel CPU be more trusted? To me, either you trust the entire CPU, or you just don't trust it at all and consider using other CPU brands. Am I wrong with this reasoning?
I think the idea behind that is that the rest of the CPU has defined, verifiable behaviors. If NSA makes 1+1 sometimes equal 3, then that's detectable. So it'd be a fairly risky attack, someone might notice it. It also risks that other countries' NSA-equivalents make use of the backdoor.
OTOH, the RNG is not verifiable. It's supposed to take two entropy sources and apply AES to them to combine them. But how do you know it actually did that? You can't tell what the input to AES was, at least as long as AES remains secure. It could well be giving you the equivalent of 1, 2, 3, 4, etc. encrypted with a key known only to NSA. And there is much less risk of another country taking advantage as the numbers still are fully CSPRNG — to everyone but NSA.
(Also, see Dual_EC_DRBG)