> > > Except that if you are paranoid enough to be worried about some
> > > unknown entity flooding your machine with network packets to
> > > manipulate the output of /dev/urandom, you are likely to not
> > > trust Intel to do RNG in such a way that it can't be fooled with.
> >
> > And if you're that paranoid, you'll soon understand that there is a 60hz
> > (in the US, 50hz many other places) signal present in anything powered
> > from the wall.
>
> But if you hang an antenna and a 60hz notch filter off of the RNG
> circuit, you can increase the gain of the other noise (power supply
> fan, network cable, printer running, telephone ringer, air
> conditioner, neighbor's Frigidair, etc.) to the point that the
> 60 cycle element is less significant.
If you read the report on the Intel RNG co-authored by crypto expert
Paul Kocher at http://www.cryptography.com/intelRNG.pdf, you will see
that Intel has anticipated and designed against this type of noise.
The Intel RNG uses the same basic principle as many of the entropy sources
which have been discussed here: a relatively low-frequency event occurs
and is sampled by a high-frequency timer. The low bits (low bit, in this
case) of the high frequency timer is then effectivelly random as long
as there is enough variation in the timing of the low frequency event.
In this case, the high-frequency "timer" is simply an oscillator, so
that we sample it at either a 0 or a 1 state. The low-frequency event
is caused by an oscillator itself, one which runs at approximately 1/100
the rate of the high frequency timer. The low frequency oscillator
is frequency-modulated by the resistance measured across an undriven
resistor. This resistance will vary due to thermal noise, which is the
ultimate source of the entropy produced by the chip.
In order to reduce environmental interference, the thermal noise is
actually measured across a pair of resistors, laid out side by side on
the chip, and the difference is used. Environmental signals will affect
both resistors (almost) identically, and by taking the difference any
effects from the environment are almost eliminated.
Even where environmental noise remains, it is being added to the thermal
noise of the resistors, and can only add further variation to the period
of the low frequency oscillator. As a general principle of information
theory, adding a known signal to a random signal will still produce
a fully random signal. Known sources of environmental noise will not
reduce the randomness output by the chip. And to the extent that the
environmental noise is unknown, it actually increases the entropy.
For more details, see the report cited above. The chip contains
additional stages and design precautions to further improve the quality
of the random values produced. The output of the chip has been analyzed
with a battery of randomness tests and looks very good.
Here is the conclusion from the cryptography.com report:
In producing the RNG, Intel applied conservative design,
implementation, and testing approaches. Design assumptions about the
random source, sampling method, system consistency, and algorithm
appear appropriate. Careful attention was paid to analyze and avoid
likely failure modes.
We believe that the Intel RNG is well-suited for use in cryptographic
applications. Direct use of Intel's software libraries should simplify
the design and evaluation process for security products. Alternatively,
developers can combine data from the Intel RNG with data from
other sources. For example, data from the Intel RNG can be safely
exclusive-ORed with output from any independent RNG. The Intel RNG
will help designers avoid relying on proprietary entropy gathering
techniques in critical security routines. We believe the Intel RNG
will prevent many RNG failures and improve the integrity and security
of cryptographic applications.
Cryptographically, we believe that the Intel RNG is strong and that
it is unlikely that any computationally feasible test will be found
to distinguish data produced by Intel's RNG library from output from
a perfect RNG. As a result, we believe that the RNG is by far the
most reliable source of secure random data available in the PC.
