It is really, really hard for me to see this as anything other than utter paranoia. As one of the messages in the thread stated:
> Right. How exactly would you backdoor an RNG so (a) it could be effectively used by the NSA when they needed it (e.g. to recover Tor keys), (b) not affect the security of massive amounts of infrastructure, and (c) be so totally undetectable that there'd be no risk of it causing a ststorm that makes the $0.5B FDIV bug seem like small change (not to mention the legal issues, since this one would have been inserted deliberately, so we're probably talking bet-the-company amounts of liability there).
And how long ago would the idea that the NSA get call logs for every call in the USA have been utter paranoia? Or that they tap and record all international internet traffic?
Just because you are paranoid doesn't mean that they aren't out to get you!
If you random number generator isn't then all of your crypto is basically useless. Paranoid is the correct state of mind for these systems.
Well, it is documented that the NSA made DES weaker by using less bits for key size (this makes brute forcing easier). I aslo noted that Schiener's AES submission was passed over (I speculate that Rijndael is easier to brute force).
The feds used to fight civilian crypto tooth and nail. Then they allowed it, and in one of the crypto books a story was related that the feds were bummed about RSA and friends. The listener questioned why, when surely their efforts were feeble compared to the government's. The response was the pace of development was much faster than expected.
Definitely paranoia. If you want to believe NSA is spying trough your Intel system, they could do it trough vPro and not some RNG calculations. One might assume that NSA can easily tap into the built in VNC server[1] of the CPU.
[1] Computers with particular Intel® Core™ vPro™ processors enjoy the benefit of a VNC-compatible Server embedded directly onto the chip, enabling permanent remote access and control. A RealVNC collaboration with Intel's ground-breaking hardware has produced VNC Viewer Plus, able to connect even if the computer is powered off, or has no functioning operating system. http://www.vnc.com/products/viewerplus/
The comments about RdRand being impossible to verify because it's on-chip seem quite reasonable. (Although Intel have tried to be quite open about how it works. https://sites.google.com/site/intelrdrand/references)
I have no idea if RdRand is the only source of entropy for /dev/urandom in the kernel these days but that does seem quite silly. Especially as RdRand is documented as having two error conditions, not enough entropy, and that the hardware appears to be broken.
>I have no idea if RdRand is the only source of entropy for /dev/urandom in the kernel these days but that does seem quite silly
If I understand correctly, the idea is to use RdRand to feed the entropy pool (which is also fed by other noise)[1] from which urandom pulls. So it doesn't seem RdRand would be the sole source of entropy if it were to be used in this context.
If the NSA is working with Intel, they're not going to bother with an RNG... The processor is the most trusted part of the computer security model - why would you choose bad random numbers as your attack vector?
This issue just does not pass the rubber hose test. If the NSA wanted and got a backdoor in intel chips there are so many better ways to do it than introducing a bad hw rng. If you wanted one exploit in the chip, why would you pick a hard to exploit one and user controlled one on top of that? It's classic paranoid thinking: People have a choice to use the hw rng or not. So it becomes a big deal. All the while not addressing the non-choice issue like having a potential backdoor triggered by a specific instruction sequence.
It's safe to assume every core technology company has been compelled to be in bed with the NSA in some form or another. Intel has been anti-trust managed by the government for nearly two decades. Getting access to the monopoly desktop / laptop processor maker would be far too rich a target to ignore.
This is why I show preference towards AMD chips even when they have the competitive disadvantage. Any sufficiently large company ends up, through their will or the gov'ts, wrapped up in politics. Which is the one of the larger issues of our age.
Would appreciate some sort of a summary. Reading some mile long email exchange just to figure out what the headline is really about makes it kinda tricky.
I read the whole thing, but few here would truly feel that my summary of 'paranoia. paranoia everywhere' is not a government plant.
The core concern seems to be the idea that an RNG embedded into Intel's latest kit might actually be a PRNG that could be backdoored by NSA on command somehow with resultant catastrophic effects to crypto primitives on that box, if the Intel RNG were the only source of entropy on the box.
Linus is (was?) one of my living heroes. But he controls the Linux kernel.
FTA:
"It's worth noting that the maintainer of record (me) for the Linux RNG quit the project about two years ago precisely because Linus decided to include a patch from Intel to allow their unauditable RdRand to bypass the entropy pool over my strenuous objections. " -- Eugen* Leitl
Linus has close ties to Intel and has for a long time.
Hanlon's razor help in this kind of discussions. Maybe when Linus took that option didn't saw Intel as something that would intentionally make predictable its RNG for following government orders, and just choose to not reimplement the wheel where it was already available.
Would he take another option since last month? Maybe in the light of this he could take back that choice.
One reason it would be a poor decision for the NSA to recommend Intel backdoor the RNG: Intel would be in a position to sell/leak the backdoor secret to other governments.
The NSA would have no way of blocking it from being used to attack the US. And you can't roll out a hotfix for billions of CPUs worldwide.
Doesn't the NSA end up using these machines as well? It seems like a lot of work to introduce a flaw that you have work around for you own use later. And if it's a hardware flawu, I doubt even the NSA could demand intel or amd manyfacture seperate batches for their own use.
comex|12 years ago
> Right. How exactly would you backdoor an RNG so (a) it could be effectively used by the NSA when they needed it (e.g. to recover Tor keys), (b) not affect the security of massive amounts of infrastructure, and (c) be so totally undetectable that there'd be no risk of it causing a ststorm that makes the $0.5B FDIV bug seem like small change (not to mention the legal issues, since this one would have been inserted deliberately, so we're probably talking bet-the-company amounts of liability there).
josephlord|12 years ago
Just because you are paranoid doesn't mean that they aren't out to get you!
If you random number generator isn't then all of your crypto is basically useless. Paranoid is the correct state of mind for these systems.
lifeguard|12 years ago
The feds used to fight civilian crypto tooth and nail. Then they allowed it, and in one of the crypto books a story was related that the feds were bummed about RSA and friends. The listener questioned why, when surely their efforts were feeble compared to the government's. The response was the pace of development was much faster than expected.
cenhyperion|12 years ago
I want hackers, cypherpunks, and cryptographers to be utterly paranoid.
enkrs|12 years ago
[1] Computers with particular Intel® Core™ vPro™ processors enjoy the benefit of a VNC-compatible Server embedded directly onto the chip, enabling permanent remote access and control. A RealVNC collaboration with Intel's ground-breaking hardware has produced VNC Viewer Plus, able to connect even if the computer is powered off, or has no functioning operating system. http://www.vnc.com/products/viewerplus/
humanspecies|12 years ago
It is really really hard for me to imagine Intel not beeing 100% cooperative with the NSA.
rorrr2|12 years ago
"I can't imagine how that (potential) backdoor can be abused, therefore it doesn't exist".
Random generators controlled by a third party are ABSOLUTELY a problem for any crypto system based on them.
Your (b) argument is even more ridiculous, considering the NSA events that just unfolded.
Your (c) argument makes zero sense, considering it got detected.
drivebyacct2|12 years ago
[deleted]
__alexs|12 years ago
I have no idea if RdRand is the only source of entropy for /dev/urandom in the kernel these days but that does seem quite silly. Especially as RdRand is documented as having two error conditions, not enough entropy, and that the hardware appears to be broken.
In any case, here's the LKML thread where it was merged too http://thread.gmane.org/gmane.linux.kernel/1173350
obituary_latte|12 years ago
If I understand correctly, the idea is to use RdRand to feed the entropy pool (which is also fed by other noise)[1] from which urandom pulls. So it doesn't seem RdRand would be the sole source of entropy if it were to be used in this context.
[1]http://linux.die.net/man/4/urandom
adr_|12 years ago
Relevant talk: Hardware Backdooring is Practical - Jonathan Brossard https://www.youtube.com/watch?v=j9Fw8jwG07g
starmole|12 years ago
fauigerzigerk|12 years ago
adventured|12 years ago
zanny|12 years ago
stfu|12 years ago
mpyne|12 years ago
The core concern seems to be the idea that an RNG embedded into Intel's latest kit might actually be a PRNG that could be backdoored by NSA on command somehow with resultant catastrophic effects to crypto primitives on that box, if the Intel RNG were the only source of entropy on the box.
spindritf|12 years ago
lifeguard|12 years ago
FTA:
"It's worth noting that the maintainer of record (me) for the Linux RNG quit the project about two years ago precisely because Linus decided to include a patch from Intel to allow their unauditable RdRand to bypass the entropy pool over my strenuous objections. " -- Eugen* Leitl
Linus has close ties to Intel and has for a long time.
lucb1e|12 years ago
Feel free to edit the question if you have anything to add!
gmuslera|12 years ago
Would he take another option since last month? Maybe in the light of this he could take back that choice.
gizmo686|12 years ago
VMG|12 years ago
lifeguard|12 years ago
3327|12 years ago
mr_spothawk|12 years ago
This email could just as easily be the musings of an insane person, which is what's suggested by the contents of the website.
tomphoolery|12 years ago
rooster8|12 years ago
The NSA would have no way of blocking it from being used to attack the US. And you can't roll out a hotfix for billions of CPUs worldwide.
jvreeland|12 years ago
unknown|12 years ago
[deleted]
unknown|12 years ago
[deleted]
TempleOS|12 years ago
[deleted]