From: daw@mozart.cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] (0/4) Entropy accounting fixes
Date: 9 Sep 2002 16:58:50 GMT [thread overview]
Message-ID: <alik0a$70c$1@abraham.cs.berkeley.edu> (raw)
In-Reply-To: 20020909165303.GA31597@waste.org
Oliver Xymoron wrote:
>This argument assumes you have knowledge of the inner workings of this
>step. To the best of my knowledge no one outside of Intel has cracked
>open this chip and actually tested that this black box _does what it
>says its doing_. This is what is meant by auditing.
Yes, I agree. The tests are only useful if you trust that Intel is
not maliciously out to get you. For instance, they are useful if you
believe that Intel is well-intentioned but fallible (which strikes me
as likely to be the right threat model for most ordinary Linux users).
Whether you like it or not, you're already trusting Intel, if you're
using an Intel chip. If Intel were malicious and out to get you, they
could have put a backdoor in the chip. And a RNG is *much* easier to
reverse-engineer and audit than an entire CPU, so it would probably be
riskier for Intel to hide a backdoor in the RNG than in, say, the CPU.
>What right-thinking paranoid would place any faith in an analysis with
>an Intel copyright? This is practically marketing fluff anyway.
Marketing fluff? I take it that's a joke: I wish the marketing fluff
I get had this much technical content and documented its experimental
procedure like this.
Anyway, I place some trust in the analysis not because of who owns its
copyright (I mean, come on) but because it has Paul Kocher's name on it.
His reputation is excellent. He is one of the top two or three in the
business. I know him personally, and I don't believe he would place
his stamp of approval on a RNG he knows to be broken.
Obviously Intel paid for this analysis to be performed -- that's how the
security consulting business works -- but that doesn't mean Intel paid
for preferential, biased treatment. Frankly, Intel probably couldn't
afford it. I trust Paul Kocher to do an impartial, independent analysis,
because I've seen him do it before. Intel probably couldn't pay him
enough to make up for the amount of money he'd lose if he were caught
"cheating".
Again, this review is no guarantee. There are still lots of things that
could go wrong. Maybe there is a flaw that Paul Kocher overlooked.
Maybe there is a secret backdoor. Maybe Intel changed the design
of their RNG since the review and inadvertently introduced a defect.
But Kocher's review raises the level of assurance we can have.
Bottom line: I claim that the Intel RNG is better studied than most
other entropy sources available on the typical PC. I challenge you to
find a review like this for, say, soundcard entropy.
>But we can actually audit the former and decided whether to trust it.
I'm not sure what makes a soundcard any easier to audit than the Intel
RNG. Our soundcards could have a secret hardware backdoor hidden in
them, too.
Anyway, as I said in my previous email, you shouldn't be using only
a single entropy source in any case. Use both the soundcard and the
Intel RNG. They have different failure modes, and the risk that they
both fail is smaller than the risk that just one will fail.
And, if you're a government agency protecting classified information,
you probably have other RNG sources at your disposal and would be unlikely
to use the Linux RNG in any case.
next prev parent reply other threads:[~2002-09-09 17:10 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-08-18 2:15 [PATCH] (0/4) Entropy accounting fixes Oliver Xymoron
2002-08-18 2:23 ` [PATCH] (1/4) " Oliver Xymoron
2002-08-18 2:26 ` [PATCH] (2/4) Update input drivers Oliver Xymoron
2002-08-18 2:29 ` [PATCH] (3/4) SA_RANDOM user fixup Oliver Xymoron
2002-08-18 2:32 ` [PATCH] (4/4) entropy batching update Oliver Xymoron
2002-08-18 2:30 ` [PATCH] (0/4) Entropy accounting fixes Linus Torvalds
2002-08-18 2:59 ` Oliver Xymoron
2002-08-18 3:08 ` Linus Torvalds
2002-08-18 3:25 ` Linus Torvalds
2002-08-18 4:42 ` Oliver Xymoron
2002-08-18 4:53 ` Linus Torvalds
2002-08-18 5:05 ` Dmitri
2002-08-18 6:18 ` Oliver Xymoron
2002-08-22 3:33 ` David Wagner
2002-08-18 10:30 ` Alan Cox
2002-08-18 15:08 ` Oliver Xymoron
2002-08-18 17:31 ` Jonathan Lundell
2002-08-22 3:27 ` David Wagner
2002-08-18 4:30 ` Oliver Xymoron
2002-08-21 8:44 ` Rogier Wolff
2002-08-21 12:47 ` Oliver Xymoron
2002-08-18 5:28 ` Andreas Dilger
2002-08-18 5:53 ` Oliver Xymoron
2002-08-22 3:25 ` David Wagner
2002-08-18 3:05 ` Linus Torvalds
2002-08-18 3:51 ` Robert Love
2002-08-18 4:01 ` Linus Torvalds
2002-08-18 5:38 ` Oliver Xymoron
2002-08-19 4:21 ` Theodore Ts'o
2002-08-19 10:15 ` Marco Colombo
2002-08-19 10:25 ` Oliver Neukum
2002-08-19 11:03 ` Marco Colombo
2002-08-19 14:22 ` Oliver Neukum
2002-08-19 15:21 ` Marco Colombo
2002-08-19 16:29 ` Oliver Neukum
2002-08-19 12:39 ` Oliver Xymoron
2002-08-18 6:31 ` Robert Love
2002-08-18 6:48 ` Oliver Xymoron
2002-08-18 4:06 ` dean gaudet
2002-08-18 4:44 ` Oliver Xymoron
2002-08-18 7:31 ` Bernd Eckenfels
2002-08-18 9:48 ` Ralf Baechle
2002-08-20 12:51 ` Bernd Eckenfels
2002-08-18 16:58 ` Robert Love
2002-08-18 10:25 ` Alan Cox
2002-08-19 10:47 ` Marco Colombo
2002-08-19 12:29 ` Alan Cox
2002-08-19 12:56 ` Marco Colombo
2002-09-08 3:43 ` D. Hugh Redelmeier
2002-09-08 18:03 ` David Wagner
2002-09-09 16:53 ` Oliver Xymoron
2002-09-09 16:58 ` David Wagner [this message]
2002-09-09 19:47 ` Oliver Xymoron
2002-09-09 23:22 ` David Wagner
2002-09-16 22:51 ` dean gaudet
2002-09-17 1:18 ` Oliver Xymoron
2002-09-09 18:54 ` Kent Borg
2002-09-09 19:57 ` Oliver Xymoron
2002-09-09 20:11 ` Kent Borg
2002-08-18 4:57 ` Oliver Xymoron
2002-08-18 4:28 ` Oliver Xymoron
2002-08-18 4:51 ` Linus Torvalds
2002-08-18 5:24 ` Oliver Xymoron
2002-08-18 16:59 ` Linus Torvalds
2001-11-02 10:34 ` Pavel Machek
2002-08-23 20:16 ` Linus Torvalds
2002-08-18 17:03 ` Robert Love
2002-08-18 17:31 ` Oliver Xymoron
2002-08-18 16:54 ` Robert Love
2002-08-18 17:18 ` Oliver Xymoron
2002-08-18 17:20 ` Robert Love
2002-08-19 5:43 ` Theodore Ts'o
2001-11-02 10:05 ` Pavel Machek
2002-08-19 6:06 ` *Challenge* Finding a solution (When kernel boots it does not display any system info) louie miranda
2002-08-19 7:30 ` Gilad Ben-Yossef
2002-08-19 7:30 ` Ryan Cumming
2002-08-20 0:55 ` louie miranda
2002-08-19 13:52 ` [PATCH] (0/4) Entropy accounting fixes Oliver Xymoron
2002-08-20 8:59 ` Tommi Kyntola
2002-08-20 13:21 ` Oliver Xymoron
2002-08-20 16:19 ` Tommi Kyntola
2002-08-20 17:22 ` Oliver Xymoron
2002-09-08 3:51 ` D. Hugh Redelmeier
2002-09-08 4:31 ` Oliver Xymoron
-- strict thread matches above, loose matches on Subject: below --
2002-08-18 4:57 David Brownell
2002-08-18 6:02 ` Oliver Xymoron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='alik0a$70c$1@abraham.cs.berkeley.edu' \
--to=daw@mozart.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox