Colin and others write about getting at the raw data stream (in the P3
HRNG). This is obviously a good thing for the reasons others have
discussed (fewer transistors, better assurance, you get my vote on
that Colin).
However, if the threat model is a highly resourced attacker (such as
say a hostile government agency), with a copy of Intel's layout
description, surely they can produce a plausible mimic function for
johnson noise (or whatever).
Software has it's advantages, RNGs based on the usual external inputs
(mouse, keyboard, disk access, clock jitter etc), are harder to
generically spike.
I presume (hope) that people would use the raw HRNG output by mixing
in to their existing software RNG along with their other entropy
inputs.
The parameters inputting to the decision of the highly resource
attacker influencing the cost-effectiveness of using the HRNG spiking
approach are:
- Cost of other approaches (keyboard chip replacement, exploit OS bug,
BIOS spiking etc.)
- Likelihood of selective CPU HRNG spiking being detected (depending
on cost of discovering this per chip, and number of people with
resources to check), and the fact that the resources required to do
this may narrow down the identity of the attacker quite well.
- Negative PR cost and risk of losing much of the investment if target
users become suspicious and switch to AMD.
Adam
(proud owner of amd386sx20, amd386sx33, amd486dx3/120, amd k5/166, amd
k6/233, amd k6-2/350)
