[openssl-dev] Work on a new RNG for OpenSSL
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Tue Aug 22 00:49:13 UTC 2017
Forgot to add that the adversary would have to compromise not only Intel but also AMD CPUs. Not sure about ARM - but if it implements RDRAND then it must be compromised too, otherwise the enemy victory wouldn be incomplete. ;-)
And think of the chips powering mobile devices...
Regards,
Uri
Sent from my iPhone
> On Aug 21, 2017, at 20:06, Paul Dale <paul.dale at oracle.com> wrote:
>
> Uri wrote:
>>> It might also use things like RDRAND / RDSEED which we don't trust.
>> ...
>> From cryptography point of view, it cannot hurt, but may help a lot
>
> There is a scenario where it does hurt: https://www.lvh.io/posts/2013/10/thoughts-on-rdrand-in-linux.html
>
> This attack wouldn't be difficult to implement given all the out of order execution and look ahead that CPUs do. It requires a compromised RDRAND instruction changing the behaviour of a subsequent XOR into a copy. Not only would it not be producing random bits but it would remove any randomness from the bits you already have.
>
>
> Pauli
> --
> Oracle
> Dr Paul Dale | Cryptographer | Network Security & Encryption
> Phone +61 7 3031 7217
> Oracle Australia
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4223 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170822/8fc690a4/attachment.bin>
More information about the openssl-dev
mailing list