Perry Metzger wrote:
> As for their RNG hardware, Paul Kocher was invited to look inside the
> Kimono and has published a full report on it, and he didn't find
> anything odd...
Paul Kocher has said the design looks sound, which I believe, but
unforotunately the raw output of Intel's RNG just plain can't be accessed
without it going through whitening first. Unsurprisingly, all the output
passes all statistical tests. Well, duh, it's been sent through SHA-1. All
that proves is that there's enough entropy in each block being hashed that
none of them got repeated in the tests, and even a measly 20 bits are
likely to do that.
If Intel's RNG really is producing a reliable one bit of entropy per one
bit of output, why don't they just make it accessible without whitening?
Mind you, I don't think Intel's installed a back door with their RNG, I
just think it's likely that the raw output displays some subtle bias, and
they either knew about it or decided to just play it safe, and put the
whitening in.
-Bram
