Re: Handling of entropy during boot
- Date: Wed, 16 Jan 2019 01:12:35 -0500
- From: Anthony DeRobertis <anthony@xxxxxxxxxxxx>
- Subject: Re: Handling of entropy during boot
On 1/14/19 7:07 AM, Thomas Goirand wrote:
On 12/18/18 8:11 PM, Theodore Y. Ts'o wrote:
If you are firmly convinced that there is a good
chance that the NSA has suborned Intel in putting a backdoor into
RDRAND, you won't want to use that boot option.
I have read numerous times that some people trust this or that part of
the instruction set, and I always found it silly. Why should some
instruction or part of the Intel CPU be more trusted? To me, either you
trust the entire CPU, or you just don't trust it at all and consider
using other CPU brands. Am I wrong with this reasoning?
I think the idea behind that is that the rest of the CPU has defined,
verifiable behaviors. If NSA makes 1+1 sometimes equal 3, then that's
detectable. So it'd be a fairly risky attack, someone might notice it.
It also risks that other countries' NSA-equivalents make use of the
OTOH, the RNG is not verifiable. It's supposed to take two entropy
sources and apply AES to them to combine them. But how do you know it
actually did that? You can't tell what the input to AES was, at least as
long as AES remains secure. It could well be giving you the equivalent
of 1, 2, 3, 4, etc. encrypted with a key known only to NSA. And there is
much less risk of another country taking advantage as the numbers still
are fully CSPRNG — to everyone but NSA.
(Also, see Dual_EC_DRBG)