[117601] in Cypherpunks

home help back first fref pref prev next nref lref last post

Re: Build a better OTP?

daemon@ATHENA.MIT.EDU (Jim Gillogly)
Mon Sep 6 21:01:22 1999

Message-ID: <37D4619C.EEEF0C9F@acm.org>
Date: Tue, 07 Sep 1999 00:51:40 +0000
From: Jim Gillogly <jim@acm.org>
MIME-Version: 1.0
To: cypherpunks@cyberpass.net
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Reply-To: Jim Gillogly <jim@acm.org>

Somebody wrote [regarding Intel's PIII on-board rng]:
> Your naive paranoia would be charming if it weren't so tiresome.
>
> The basic design is sound; see http://www.cryptography.com/intelRNG.pdf
> for a review by Ben Jun and Paul Kocher, two of the smartest guys around
> when it comes to real-world implementations of crypto technology:

Sure, I trust Kocher to do a very competent analysis of the thing.
However, Intel provided the interface specs only to Microsoft, and
we have to trust them as well as Intel for the post-whitened bits.
The only way we can trust the output of the RNG is if we can test
the thing.

Maybe the one Paul tested was fine, but mine is wedged... I'd
never know the difference, since the output goes through SHA-1
and presumably something else to provide a history pool -- but I
might have ablsolutely zero entropy, and somebody who knows the
state of my computer might be able to take advantage of it.

I'll happily stir it into my /dev/random pool, but unless I can
see the pre-whitened output I won't know a positive value to place
on the randomness I'm adding.

So why isn't Intel telling?  What do they have to hide?  Don't
they know they're not allowed to have privacy any longer?

-- 
	Jim Gillogly
	Highday, 16 Halimath S.R. 1999, 00:45
	12.19.6.9.4, 10 Kan 12 Mol, Fourth Lord of Night


home help back first fref pref prev next nref lref last post