Eugen Leitl | 12 Jul 16:20 2013

Re: [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

----- Forwarded message from Matt Mackall <mpm@...> -----

Date: Thu, 11 Jul 2013 17:34:48 -0500
From: Matt Mackall <mpm@...>
To: liberationtech <liberationtech@...>
Subject: Re: [liberationtech] Heml.is - "The Beautiful & Secure Messenger"
X-Mailer: Evolution 3.4.4-1
Reply-To: liberationtech <liberationtech@...>

On Thu, 2013-07-11 at 13:47 -0700, Andy Isaacson wrote:
> > Linux now also uses a closed RdRand [2] RNG if available.
> 
> There was a bunch of churn when this code went in, so I could be wrong,
> but I believe that RdRand is only used to stir the same entropy pool as
> all of the other inputs which are used to generate random data for
> /dev/random et al.  It's hard to leverage control of one input to a
> random pool into anything useful.

It's worth noting that the maintainer of record (me) for the Linux RNG
quit the project about two years ago precisely because Linus decided to
include a patch from Intel to allow their unauditable RdRand to bypass
the entropy pool over my strenuous objections.

From a quick skim of current sources, much of that has recently been
rolled back (/dev/random, notably) but kernel-internal entropy users
like sequence numbers and address-space randomization appear to still be
exposed to raw RdRand output.

(And in the meantime, my distrust of Intel's crypto has moved from
"standard professional paranoia" to "actual legitimate concern".)
(Continue reading)

James A. Donald | 12 Jul 20:48 2013

Re: [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On 2013-07-13 12:20 AM, Eugen Leitl wrote:
> It's worth noting that the maintainer of record (me) for the Linux RNG 
> quit the project about two years ago precisely because Linus decided 
> to include a patch from Intel to allow their unauditable RdRand to 
> bypass the entropy pool over my strenuous objections.

Is there a plausible rationale for bypassing the entropy pool?

How unauditable is RdRand?

Is RdRand unauditable because it uses magic instructions that do 
unknowable things?  Is it designed to actively resist audit?  Has Intel 
gone out of its way to prevent you from knowing how good their true 
random generation is?
Patrick Mylund Nielsen | 12 Jul 20:54 2013

Re: [liberationtech] Heml.is - "The Beautiful & Secure Messenger"

On Fri, Jul 12, 2013 at 2:48 PM, James A. Donald <jamesd <at> echeque.com> wrote:
On 2013-07-13 12:20 AM, Eugen Leitl wrote:
It's worth noting that the maintainer of record (me) for the Linux RNG quit the project about two years ago precisely because Linus decided to include a patch from Intel to allow their unauditable RdRand to bypass the entropy pool over my strenuous objections.

Is there a plausible rationale for bypassing the entropy pool?

Throughput? Not bypassing means having to wait until enough randomness has been gathered from trusted sources.

Or maybe it's just trusting Intel and assuming that RDRAND provides better randomness.

_______________________________________________
cryptography mailing list
cryptography@...
http://lists.randombit.net/mailman/listinfo/cryptography

Gmane