[148397] in cryptography@c2.net mail archive
[Cryptography] Fwd: [IP] 'We cannot trust' Intel and Via's
daemon@ATHENA.MIT.EDU (Charles Jackson)
Tue Dec 10 14:14:44 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <227BEBDF-7DDF-4CE2-92E8-F6D3CF274E58@gmail.com>
Date: Tue, 10 Dec 2013 11:10:06 -0500
From: Charles Jackson <clj@jacksons.net>
To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============3953076261721868461==
Content-Type: multipart/alternative; boundary=047d7bd6b03a9265ac04ed30588d
--047d7bd6b03a9265ac04ed30588d
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
---------- Forwarded message ----------
From: David Farber <farber@gmail.com>
Date: Tue, Dec 10, 2013 at 9:39 AM
Subject: [IP] 'We cannot trust' Intel and Via's chip-based crypto, FreeBSD
developers say
To: ip <ip@listbox.com>
Begin forwarded message:
From: Dewayne Hendricks <dewayne@warpspeed.com>
Subject: [Dewayne-Net] 'We cannot trust' Intel and Via's chip-based crypto,
FreeBSD developers say
Date: December 10, 2013 at 9:05:32 AM EST
To: Multiple recipients of Dewayne-Net <dewayne-net@warpspeed.com>
Reply-To: dewayne-net@warpspeed.com
=93We cannot trust=94 Intel and Via=92s chip-based crypto, FreeBSD develope=
rs say
Following NSA leaks from Snowden, engineers lose faith in hardware
randomness.
By Dan Goodin
Dec 10 2013
<
http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip=
-based-crypto-freebsd-developers-say/
>
Developers of the FreeBSD operating system will no longer allow users to
trust processors manufactured by Intel and Via Technologies as the sole
source of random numbers needed to generate cryptographic keys that can't
easily be cracked by government spies and other adversaries.
The change, which will be effective in the upcoming FreeBSD version 10.0,
comes three months after secret documents leaked by former National
Security Agency (NSA) subcontractor Edward Snowden said the US spy agency
was able to decode vast swaths of the Internet's encrypted traffic. Among
other ways, The New York Times, Pro Publica, and The Guardian reported in
September, the NSA and its British counterpart defeat encryption
technologies by working with chipmakers to insert backdoors, or
cryptographic weaknesses, in their products.
The revelations are having a direct effect on the way FreeBSD will use
hardware-based random number generators to seed the data used to ensure
cryptographic systems can't be easily broken by adversaries. Specifically,
"RDRAND" and "Padlock"=97RNGs provided by Intel and Via respectively=97will=
no
longer be the sources FreeBSD uses to directly feed random numbers into the
/dev/random engine used to generate random data in Unix-based operating
systems. Instead, it will be possible to use the pseudo random output of
RDRAND and Padlock to seed /dev/random only after it has passed through a
separate RNG algorithm known as "Yarrow." Yarrow, in turn, will add further
entropy to the data to ensure intentional backdoors, or unpatched
weaknesses, in the hardware generators can't be used by adversaries to
predict their output.
"For 10, we are going to backtrack and remove RDRAND and Padlock backends
and feed them into Yarrow instead of delivering their output directly to
/dev/random," FreeBSD developers said. "It will still be possible to access
hardware random number generators, that is, RDRAND, Padlock etc., directly
by inline assembly or by using OpenSSL from userland, if required, but we
cannot trust them any more."
In separate meeting minutes, developers specifically invoked Snowden's name
when discussing the change.
"Edward Snowdon [sic] -- v. high probability of backdoors in some (HW)
RNGs," the notes read, referring to hardware RNGs. Then, alluding to the
Dual EC_DRBG RNG forged by the National Institute of Standards and
Technology and said to contain an NSA-engineered backdoor, the notes read:
"Including elliptic curve generator included in NIST. rdrand in ivbridge
not implemented by Intel... Cannot trust HW RNGs to provide good entropy
directly. (rdrand implemented in microcode. Intel will add opcode to go
directly to HW.) This means partial revert of some work on rdrand and
padlock."
RNGs are one of the most important ingredients in any secure cryptographic
system. They are akin to the dice shakers used in board games that ensure
the full range of randomness is contained in each roll. If adversaries can
reduce the amount of entropy an RNG produces or devise a way to predict
some of its output, they can frequently devise ways to crack the keys
needed to decrypt an otherwise unreadable message. A weakness in the
/dev/random engine found in Google's Android operating system, for
instance, was the root cause of a critical exploit that recently allowed
thieves to pilfer bitcoins out of a user's digital wallet. RDRAND is the
source of random data provided by Ivy Bridge and later versions of Intel
processors. Padlock seeds random data in chips made by Via.
[snip]
Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=3Dnow
RSS Feed: https://www.listbox.com/member/archive/rss/247/17139205-98c5b30e
Modify Your Subscription:
https://www.listbox.com/member/?member_id=3D17139205&id_secret=3D17139205-4=
d8a06f8
Unsubscribe Now:
https://www.listbox.com/unsubscribe/?member_id=3D17139205&id_secret=3D17139=
205-97bcd5fc&post_id=3D20131210093928:DC9E24EE-61A8-11E3-A244-A7D151AF08F6
Powered by Listbox: http://www.listbox.com
--=20
Chuck
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Charles L. Jackson
301 656 8716 desk phone
888 469 0805 fax
301 775 1023 mobile
PO Box 221
Port Tobacco, MD 20677
--047d7bd6b03a9265ac04ed30588d
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><br><div class=3D"gmail_quote">---------- Forwarded me=
ssage ----------<br>From: <b class=3D"gmail_sendername">David Farber</b> <s=
pan dir=3D"ltr"><<a href=3D"mailto:farber@gmail.com">farber@gmail.com</a=
>></span><br>
Date: Tue, Dec 10, 2013 at 9:39 AM<br>Subject: [IP] 'We cannot trust=
9; Intel and Via's chip-based crypto, FreeBSD developers say<br>To: ip =
<<a href=3D"mailto:ip@listbox.com">ip@listbox.com</a>><br><br><br><br=
>
<br>
Begin forwarded message:<br>
<br>
From: Dewayne Hendricks <<a href=3D"mailto:dewayne@warpspeed.com">dewayn=
e@warpspeed.com</a>><br>
Subject: [Dewayne-Net] 'We cannot trust' Intel and Via's chip-b=
ased crypto, FreeBSD developers say<br>
Date: December 10, 2013 at 9:05:32 AM EST<br>
To: Multiple recipients of Dewayne-Net <<a href=3D"mailto:dewayne-net@wa=
rpspeed.com">dewayne-net@warpspeed.com</a>><br>
Reply-To: <a href=3D"mailto:dewayne-net@warpspeed.com">dewayne-net@warpspee=
d.com</a><br>
<br>
=93We cannot trust=94 Intel and Via=92s chip-based crypto, FreeBSD develope=
rs say<br>
Following NSA leaks from Snowden, engineers lose faith in hardware randomne=
ss.<br>
By Dan Goodin<br>
Dec 10 2013<br>
<<a href=3D"http://arstechnica.com/security/2013/12/we-cannot-trust-inte=
l-and-vias-chip-based-crypto-freebsd-developers-say/" target=3D"_blank">htt=
p://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-ba=
sed-crypto-freebsd-developers-say/</a>><br>
<br>
Developers of the FreeBSD operating system will no longer allow users to tr=
ust processors manufactured by Intel and Via Technologies as the sole sourc=
e of random numbers needed to generate cryptographic keys that can't ea=
sily be cracked by government spies and other adversaries.<br>
<br>
The change, which will be effective in the upcoming FreeBSD version 10.0, c=
omes three months after secret documents leaked by former National Security=
Agency (NSA) subcontractor Edward Snowden said the US spy agency was able =
to decode vast swaths of the Internet's encrypted traffic. Among other =
ways, The New York Times, Pro Publica, and The Guardian reported in Septemb=
er, the NSA and its British counterpart defeat encryption technologies by w=
orking with chipmakers to insert backdoors, or cryptographic weaknesses, in=
their products.<br>
<br>
The revelations are having a direct effect on the way FreeBSD will use hard=
ware-based random number generators to seed the data used to ensure cryptog=
raphic systems can't be easily broken by adversaries. Specifically, &qu=
ot;RDRAND" and "Padlock"=97RNGs provided by Intel and Via re=
spectively=97will no longer be the sources FreeBSD uses to directly feed ra=
ndom numbers into the /dev/random engine used to generate random data in Un=
ix-based operating systems. Instead, it will be possible to use the pseudo =
random output of RDRAND and Padlock to seed /dev/random only after it has p=
assed through a separate RNG algorithm known as "Yarrow." Yarrow,=
in turn, will add further entropy to the data to ensure intentional backdo=
ors, or unpatched weaknesses, in the hardware generators can't be used =
by adversaries to predict their output.<br>
<br>
"For 10, we are going to backtrack and remove RDRAND and Padlock backe=
nds and feed them into Yarrow instead of delivering their output directly t=
o /dev/random," FreeBSD developers said. "It will still be possib=
le to access hardware random number generators, that is, RDRAND, Padlock et=
c., directly by inline assembly or by using OpenSSL from userland, if requi=
red, but we cannot trust them any more."<br>
<br>
In separate meeting minutes, developers specifically invoked Snowden's =
name when discussing the change.<br>
<br>
"Edward Snowdon [sic] -- v. high probability of backdoors in some (HW)=
RNGs," the notes read, referring to hardware RNGs. Then, alluding to =
the Dual EC_DRBG RNG forged by the National Institute of Standards and Tech=
nology and said to contain an NSA-engineered backdoor, the notes read: &quo=
t;Including elliptic curve generator included in NIST. rdrand in ivbridge n=
ot implemented by Intel... Cannot trust HW RNGs to provide good entropy dir=
ectly. (rdrand implemented in microcode. Intel will add opcode to go direct=
ly to HW.) This means partial revert of some work on rdrand and padlock.&qu=
ot;<br>
<br>
RNGs are one of the most important ingredients in any secure cryptographic =
system. They are akin to the dice shakers used in board games that ensure t=
he full range of randomness is contained in each roll. If adversaries can r=
educe the amount of entropy an RNG produces or devise a way to predict some=
of its output, they can frequently devise ways to crack the keys needed to=
decrypt an otherwise unreadable message. A weakness in the /dev/random eng=
ine found in Google's Android operating system, for instance, was the r=
oot cause of a critical exploit that recently allowed thieves to pilfer bit=
coins out of a user's digital wallet. RDRAND is the source of random da=
ta provided by Ivy Bridge and later versions of Intel processors. Padlock s=
eeds random data in chips made by Via.<br>
<br>
[snip]<br>
<br>
<br>
<br>
Dewayne-Net RSS Feed: <<a href=3D"http://dewaynenet.wordpress.com/feed/"=
target=3D"_blank">http://dewaynenet.wordpress.com/feed/</a>><br>
<br>
<br>
<br>
<br>
<br>
-------------------------------------------<br>
Archives: <a href=3D"https://www.listbox.com/member/archive/247/=3Dnow" tar=
get=3D"_blank">https://www.listbox.com/member/archive/247/=3Dnow</a><br>
RSS Feed: <a href=3D"https://www.listbox.com/member/archive/rss/247/1713920=
5-98c5b30e" target=3D"_blank">https://www.listbox.com/member/archive/rss/24=
7/17139205-98c5b30e</a><br>
Modify Your Subscription: <a href=3D"https://www.listbox.com/member/?member=
_id=3D17139205&id_secret=3D17139205-4d8a06f8" target=3D"_blank">https:/=
/www.listbox.com/member/?member_id=3D17139205&id_secret=3D17139205-4d8a=
06f8</a><br>
Unsubscribe Now: <a href=3D"https://www.listbox.com/unsubscribe/?member_id=
=3D17139205&id_secret=3D17139205-97bcd5fc&post_id=3D20131210093928:=
DC9E24EE-61A8-11E3-A244-A7D151AF08F6" target=3D"_blank">https://www.listbox=
.com/unsubscribe/?member_id=3D17139205&id_secret=3D17139205-97bcd5fc&am=
p;post_id=3D20131210093928:DC9E24EE-61A8-11E3-A244-A7D151AF08F6</a><br>
Powered by Listbox: <a href=3D"http://www.listbox.com" target=3D"_blank">ht=
tp://www.listbox.com</a><br>
</div><br><br clear=3D"all"><div><br></div>-- <br><br>Chuck=A0<br><br>=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>Charles =
L. Jackson<br><br>301 656 8716 =A0 =A0desk phone<br>888 469 0805 =A0 =A0fax=
<br>301 775 1023 =A0 =A0mobile=A0<br><br>PO Box 221<br>Port Tobacco, MD 206=
77
</div>
--047d7bd6b03a9265ac04ed30588d--
--===============3953076261721868461==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============3953076261721868461==--
