[147081] in cryptography@c2.net mail archive
Re: [Cryptography] Radioactive random numbers
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Fri Sep 13 11:44:47 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 12 Sep 2013 22:48:27 -0400
From: Thor Lancelot Simon <tls@rek.tjls.com>
To: "Perry E. Metzger" <perry@piermont.com>
In-Reply-To: <20130912110047.743e1782@jabberwock.cb.piermont.com>
Cc: Tony Arcieri <bascule@gmail.com>,
Cryptography List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Thu, Sep 12, 2013 at 11:00:47AM -0400, Perry E. Metzger wrote:
>
> In addition to getting CPU makers to always include such things,
> however, a second vital problem is how to gain trust that such RNGs
> are good -- both that a particular unit isn't subject to a hardware
> defect and that the design wasn't sabotaged. That's harder to do.
Or that a design wasn't sabotaged intentionally wasn't sabotaged
accidentally while dropping it into place in a slightly different
product. I've always thought highly of the design of the Hifn RNG
block, and the outside analysis of it which they published, but years
ago at Reefedge we found a bug in its integration into a popular Hifn
crypto processor that evidently had slipped through the cracks -- I
discussed it in more detail last year at
http://permalink.gmane.org/gmane.comp.security.cryptography.randombit/3020 .
Thor
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
