[148471] in cryptography@c2.net mail archive
Re: [Cryptography] Fwd: [IP] 'We cannot trust' Intel and Via's
daemon@ATHENA.MIT.EDU (John Kelsey)
Mon Dec 16 12:47:10 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <52ABFF68.9010000@iang.org>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Mon, 16 Dec 2013 12:35:37 -0500
To: ianG <iang@iang.org>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Dec 14, 2013, at 1:49 AM, ianG <iang@iang.org> wrote:
...
> That would be to reinvent Yarrow?
>
> If that were known as Linux's approach, and RDRAND where spiked, it would be a simple matter to spike the RDRAND in microcode again (a known/suspected capability).
>
> Perhaps to unXOR the contents of the previous instruction and XOR in the secret stream...
You are assuming a way, way more complicated and specialized bit of malevolent engineering in the RNG chip, at that point--one that only works on one OS RNG, and one that probably breaks every time there's an OS upgrade that touches the RNG.
Also, I have to guess that the CPU designer could find hundreds of easier ways to screw over my security. What OS-based RNG could withstand having the CPU it's running on designed to defeat its security?
> iang
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
