There are plenty of ways to design an apparently random number generator so that you can predict the output (exactly or approximately) without causing any obvious flaws in the pseudorandom output stream. Even the smallest bias can significantly reduce security. This could be a critical failure, and we have no way to determine whether or not it is happening.
As for preventing potential security holes and making the backdoor deniable, that takes a little more thinking. And for legal issues, there are any number of hand-wavy blame-shifting schemes that Intel and whoever would want to backdoor their RNG could use. I contest the idea that we should ignore the fact that Intel's RNG could be backdoored. Just because other problems exist doesn't mean we should ignore this one. I agree that perhaps worrying about this constitutes being "too paranoid", but no cryptographer ever got hurt by being too paranoid, and not trusting your hardware is a great place to start. On Fri, Jul 12, 2013 at 7:20 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz>wrote: > Nico Williams <n...@cryptonector.com> writes: > > >I'd like to understand what attacks NSA and friends could mount, with > Intel's > >witting or unwitting cooperation, particularly what attacks that > *wouldn't* > >put civilian (and military!) infrastructure at risk should details of a > >backdoor leak to the public, or *worse*, be stolen by an antagonist. > > Right. How exactly would you backdoor an RNG so (a) it could be > effectively > used by the NSA when they needed it (e.g. to recover Tor keys), (b) not > affect > the security of massive amounts of infrastructure, and (c) be so totally > undetectable that there'd be no risk of it causing a s**tstorm that makes > the > $0.5B FDIV bug seem like small change (not to mention the legal issues, > since > this one would have been inserted deliberately, so we're probably talking > bet- > the-company amounts of liability there). > > >I'm *not* saying that my wishing is an argument for trusting Intel's RNG > -- > >I'm sincerely trying to understand what attacks could conceivably be > mounted > >through a suitably modified RDRAND with low systemic risk. > > Being careful is one thing, being needlessly paranoid is quite another. > There > are vast numbers of issues that crypto/security software needs to worry > about > before getting down to "has Intel backdoored their RNG". > > Peter. > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography