Web lists-archives.com

Re: Handling of entropy during boot




On 1/14/19 7:07 AM, Thomas Goirand wrote:
On 12/18/18 8:11 PM, Theodore Y. Ts'o wrote:
If you are firmly convinced that there is a good
chance that the NSA has suborned Intel in putting a backdoor into
RDRAND, you won't want to use that boot option.
I have read numerous times that some people trust this or that part of
the instruction set, and I always found it silly. Why should some
instruction or part of the Intel CPU be more trusted? To me, either you
trust the entire CPU, or you just don't trust it at all and consider
using other CPU brands. Am I wrong with this reasoning?

I think the idea behind that is that the rest of the CPU has defined, verifiable behaviors. If NSA makes 1+1 sometimes equal 3, then that's detectable. So it'd be a fairly risky attack, someone might notice it. It also risks that other countries' NSA-equivalents make use of the backdoor.

OTOH, the RNG is not verifiable. It's supposed to take two entropy sources and apply AES to them to combine them. But how do you know it actually did that? You can't tell what the input to AES was, at least as long as AES remains secure. It could well be giving you the equivalent of 1, 2, 3, 4, etc. encrypted with a key known only to NSA. And there is much less risk of another country taking advantage as the numbers still are fully CSPRNG — to everyone but NSA.

(Also, see Dual_EC_DRBG)