Let\'s assume that the Intel RDRAND instruction does not return fully random num

Question

Let's assume that the Intel RDRAND instruction does not return fully random numbers, e.g. because it has been engineered with a backdoor for the NSA.

If the Intel RDRAND instruction is used directly by a software implementation, what post-processing could be performed to make sure that the output would be indistinguishable from random again? The procedure should not be CPU intensive as an application could as well use the OS provided random number generator if that was the case.

Presumption: the random numbers returned by RDRAND do at least comply with FIPS tests against the output for random numbers.

Explanation / Answer

The Unix/Linux /dev/random source code has a concept of 'stirring' the entropy pool. If you stirred the RDRAND entropy an unknown, variable amount of times then an attacker isn't going to be able to reverse that easily. Better if you mix entropy from other sources as well into the entropy pool. Never rely on one source of entropy. Also after stirring the pool, run it through a randomness extractor before using anything from it.

Though if RDRAND/CPU has a secret trigger event, say it detects a key being generated, or TLS session being initiated, then it could start pumping out lots of zero's. That would be very hard to detect and even if you were mixing it into the entropy pool it would still suffer. You would need to verify all output from the Intel RNG directly before using but that might be difficult. There was a paper written on this not long ago, I'll see if I can find it.

Related Questions

Navigate

• Browse (All)
• Browse L
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.