[148486] in cryptography@c2.net mail archive
Re: [Cryptography] Fwd: [IP] 'We cannot trust' Intel and Via's
daemon@ATHENA.MIT.EDU (Roland C. Dowdeswell)
Tue Dec 17 13:46:58 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 17 Dec 2013 12:26:00 +0000
From: "Roland C. Dowdeswell" <elric@imrryr.org>
To: ianG <iang@iang.org>
In-Reply-To: <52AC62FD.5040004@iang.org>
Cc: Jerry Leichter <leichter@lrw.com>, John Kelsey <crypto.jmk@gmail.com>,
cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sat, Dec 14, 2013 at 04:54:05PM +0300, ianG wrote:
>
> The RDRAND instruction I'd say is the low hanging fruit, because it
> is called rarely and for precise purposes. Inside that instruction,
> check whether there is a XOR coming up, of the output of RDRAND and
> some other X. Likely, that value X is already calculated, sitting
> in a register somewhere. Do some pre-XOR magic with that X, and the
> RDRAND output, and the secret sauce.
It's probably sufficient to just have RDRAND output a predictable
value XORed with all of the registers. Given that the only
unpredictable value in any of the registers is going to be the
output of the OS RNG, this would likely be enough. No need to
check if there's an upcoming XOR, the worst case is that the
scheme doesn't work.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
