Uri wrote: >> It might also use things like RDRAND / RDSEED which we don't trust. > ... > From cryptography point of view, it cannot hurt, but may help a lot
There is a scenario where it does hurt: https://www.lvh.io/posts/2013/10/thoughts-on-rdrand-in-linux.html This attack wouldn't be difficult to implement given all the out of order execution and look ahead that CPUs do. It requires a compromised RDRAND instruction changing the behaviour of a subsequent XOR into a copy. Not only would it not be producing random bits but it would remove any randomness from the bits you already have. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
