I'd like to tone this discussion down a bit and get back to basics.
First of all, I am happy to thank Intel for finally releasing the
hardware interface. I hadn't known about its release until this
thread. I'm always grateful when someone does the right thing, even
if it's late. Second, I have to agree, reluctantly, that people
building diskless nodes should use the Intel RNG if they have it and
can't get anything better designed into their hardware. The software
alternatives are just not acceptable.
Anonymous asks what we want from Intel. OK, here is my list:
First, a principal of operations document for the RNG under Intel's
name. More details than Paul gave would be better, particularly
design margins and test procedures, but at least the level of
information he gives. What difference would it make? It would put
Intel's name and reputation squarely behind the claimed design being
what is delivered, not just Paul's.
Second, I want access to the raw bits. Short out the on-chip
whitener, if necessary. There is no need for it and it prevents us
from characterizing the RNG design ourselves. It also reduces the
random bit rate for no good reason. The danger associated with
making the raw bits available is negligible. The few people that will
use the raw bits are going to be cluefull enough to whiten them with
a hash. Intel can cover its backside by explaining the need to do so
clearly in its manual. (They now have to explain that the code for
extracting the bytes has to be protected in a multithreaded
environment. Had Intel not been trying to produce "perfect" random
bytes, they could have included a status bit in each random byte and
avoided all that complexity.) And even if someone did use the raw
bits without whitening, the added vulnerability is quite small,
assuming the bias is at all reasonable.
Third, I would like Intel (and other CPU and support chip vendors) to
recognize that cryptographers need designs that are transparent,
verifiable and traceable. As a vendor it's Intel's job to win their
customer's confidence. If that means a more open design process and
independent verification of random samples from the production line,
so be it. Yes, we will always want more. Sorry. The reason
cryptographers are hard customers is that we face very hard problems.
A more open process is in Intel interest as well. Intel might get
some good ideas if they talked to us first. And one of these days
there it going to be a security screw up big enough to attract the
class action bar. Lawyers have a field day with unjustified secrecy,
especially at defendants with deep pockets.
Arnold Reinhold