[141455] in cryptography@c2.net mail archive
Re: very high speed hardware RNG
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Dec 30 19:08:18 2008
Date: Tue, 30 Dec 2008 11:45:27 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Jack Lloyd <lloyd@randombit.net>
Cc: cryptography@metzdowd.com
In-Reply-To: <20081229044906.GC22450@randombit.net>
On Sun, 28 Dec 2008 23:49:06 -0500
Jack Lloyd <lloyd@randombit.net> wrote:
> On Sun, Dec 28, 2008 at 08:12:09PM -0500, Perry E. Metzger wrote:
> >
> > Semiconductor laser based RNG with rates in the gigabits per second.
> >
> > http://www.physorg.com/news148660964.html
> >
> > My take: neat, but not as important as simply including a decent
> > hardware RNG (even a slow one) in all PC chipsets would be.
Of course, every time a manufacturer has tried it, assorted people
(including many on this list) complain that it's been sabotaged by the
NSA or by alien space bats or some such.
> I've been thinking that much better than a chipset addition (which is
> only accessible by the OS kernel in most environments) would be a
> simple ring-3 (or equivalent) accessible instruction that writes 32 or
> 64 bits of randomness from a per-core hardware RNG, something like
>
> ; write 32 bits of entropy from the hardware RNG to eax register
> rdrandom %eax
>
> Which would allow user applications to access a good hardware RNG
> directly, in addition to allowing the OS to read bits to seed the
> system PRNG (/dev/random, CryptoGenRandom, or similar)
It's not obvious to me that you're right. In particular, we need to
consider how such an instruction would interact with a virtual machine
hypervisor. Is it a bug or a feature that the hypervisor can't
intercept the request? Remember that reproducibility is often a virtue.
>
> I think the JVM in particular could benefit from such an extension, as
> the abstractions it puts into place otherwise prevent most of the
> methods one might use to gather high-quality entropy for a PRNG seed.
>
The JVM could just as easily open /dev/urandom today.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
