Regarding "(I'm not sure I agree with Linus that mixing in a known-tainted RDRAND stream would nevertheless invariably improve randomness, but on the surface, it shouldn't reduce it.)": I think it's fair to say it would, in practice.
Even if the NSA knows how to predict the output of rdrand (because it's really some stream cipher with a known key or something), most people don't. Therefore, it wouldn't improve the randomness of the final stream from the NSA point of view, but it would from the point of view of any other attacker not in the secret. So I think it's fair to say it can't do harm and it can actually do some good.
See also the previous discussion:
https://news.ycombinator.com/item?id=6359892
The consensus seems to be that if the NSA can backdoor rdrand so deeply that it can keep track of the CPU state and the contents of the RAM then you might as well throw away the whole CPU, why would you choose to trust all instructions but rdrand? They could have compromised the interrupt vector, the syscall vector or anything else.
This feels like "rumor based cryptography" or more precisely "FUD based cryptography". We're just running in circles.
The main concern about random number generation is that if you use the output of RdRand exclusively, it's fairly easy to backdoor in such a way that it looks completely random to all outside observers, but the NSA has a key that could allow them to predict the output based on past output. However, mixing it with the state of an already good random number generator (which the kernel needs to have anyhow for platforms without an RdRand instruction) pretty much negates that attack.
No one (reasonable) is actually particularly concerned that Intel themselves has backdoored RdRand. But they do want to ensure that they are protected in the case that at some point in the future, some other architecture adds a random number generation instruction and that is backdoored. And since you need to continue to do software random number generation anyhow, the best way to use RdRand is to use both, mix them, and get the best of both worlds (fast entropy available in environments with limited entropy sources, and an auditable software random number generator).
All of the other attacks that people are suggesting require a whole hell of a lot more silicon, require changing the behavior of unrelated instructions, and so on. They're just too complex and too fragile to be feasible.
Instead, why don't we spend our time naming and shaming the companies that actually do use backdoored random number generation, like RSA security:
> Apparently, RSA Security BSAFE Share for Java 1.1 has DUAL_EC_DRBG as a default:
> "The default Pseudo Random Number Generator (PRNG) is the Dual EC-DRBG using a P256 curve with prediction resistance off."
> I didn't find an obvious link for the equivalent C/C++ library documentation, but the RSA BSAFE CNG Cryptographic Primitives Library 1.0 FIPS 140-1 Security Policy document from RSA Security at the NIST site says (p.14):
> "The Module provides a default RNG, which is the Dual EC DRBG, using a P256 curve and SHA-256."
> Additionally, the RSA BSAFE Crypto-C Micro-Edition 3.0.0.2 FIPS 140-1 Security Policy says (p.17):
> "For R_FIPS140_MODE_FIPS140_ECC and R_FIPS140_MODE_FIPS140_SSL_ECC, Crypto-C ME implements a Dual ECDRBG (Cert. #137) internally"
> I'd be more than a bit wary of any product using RSA Security libraries.
From: https://lwn.net/Articles/566329/
For a while, people were confused about why the NSA would have gotten the Dual EC DRBG random number generator introduced into a standard, as it's so much slower than most of the other available random number generators, and it was only a year after the standard was released that the potential backdoor was pointed out. Well, apparently RSA has decided that it's the best RNG available, perhaps with some influence from the NSA.
It is worth noting that police used to be able to exploit firewire DMA to bypass disk encryption and copy encryption keys out of memory from any system with a firewire port. This has been fixed and a CPU-level exploit for crypto seems unlikely to me because making something that not only worked consistently but didn't slow down general purpose programming when it worked, would be an engineering marvel.
This being said, having clear, unimpeachable code in these areas is a good start because it helps ensure that other problems are not lurking under the surface.
If it's ain't broke...
Or in this case:
If you can't prove it's broke...
EDIT: I would also remind everybody that if they really don't trust rdrand for any reason they can just add the "nordrand" boot kernel param and disable this code. It's a non-issue.
This isn't cryptography, it's politics. The 'taint' is ideological.
Presumably, there are limits to the amount of silicon that Intel/NSA can devote to backdooring everyone. Since other instructions are supposed to behave deterministically, it could be expensive to backdoor them in a way that would not easily be discovered.
On the other hand, RDRAND could be a straightforward Dual_EC_DRBG implementation, which would be a very cheap and effective backdoor that would also have the nice benefit of keeping people's communications secure against everyone except the NSA.
Of course, there's also the possibility that there's no backdoor, but that the implementation is still buggy.
There's no reason why our trust in the hardware has to be all or nothing.
Even if rdrand is backdoored it would have to be a significant supplier of entropy in the resulting random number for this to be a meaningful attack vector, as soon as you mix it with other (good enough, large enough) sources of entropy you get a situation where some other attack is more likely to be far more feasible than to use the knowledge about some of the bits that rdrand contributes to the entropy pool.
Such as:
- good old b&e and placing a keylogger or hardware bug
(very easy to hide in a keyboard)
- a compromised bit of the OS
- compromising the application that you use to encrypt your messages or finding a significant weakness in the application.
- doing any of the above with the recipientAll it has to do is detect the code sequence in question and XOR the output of RDRAND with the randomness from the other entropy sources before returning it. The two XORs cancel out, and this is completely undetectable because there's no way to distinguish between a true random bitstream, a good PRNG, and a good PRNG XORed with data you provided based on the bits themselves.
/dev/random = a XOR b
If the NSA only knows "a", that's fine, "b" is still pretty random. They can't compromise the randomness of "b" unless they know "b".
Now if they know "b", then we're screwed whether we use RDRAND or not, and safe encryption using Intel chips is just impossible. However I don't think anybody is suggesting that.
How is that going to work? i.e. how is RDRAND going to 'detect the code sequence'?
Extraordinary claims...
How is that easy ? No, predicting or detecting that the returned value of your assembly instruction will later be xor'ed by some other value, in all it's machine code variants that different versions of gcc will produce, is not easy.
It is theoretically possible if you have access to the CPU design and can modify it, but even then it is very non-trivial, if even doable in the general case.
There are several free CPUs around you can instantiate on an FPGA and boot linux on - if someone makes a proof-of-concept rdrand() on one of these that can detect the future bit operations on the value(even when it's moved to another register or to/from main memory) and cancel out that bit operation - then I'll believe it's possible.
Until then, I'm more(more compared to not at all is still very little) worried that:
* the chip (whose part number google knows nothing about) in my dsl modem have a backdoor and being able to mirror all its traffic
* that the baseband chip in my HTC has the same ability - in addition to the know ability of being able to report its gps location without informing me
* that the NSA probably still can read my gmail mail
* that my raspberry pi SoC can contain an unknown component that dumps it's memory out the ethernet card
* that the latest iPhone perhaps complies nicely with the 3GPP TS 33.108 spec.
This function is the exported kernel interface. It returns some
number of good random numbers, suitable for key generation, seeding
TCP sequence numbers, etc.
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.g...
Note that this was version 3 of that patch. Versions 1 and 2 also took control of /dev/urandom. Here is v2:
http://thread.gmane.org/gmane.linux.kernel/1173350/focus=117...
A year later, Ted Ts'o made get_random_bytes() go through the usual entropy pool and added get_random_bytes_arch() for a consumer that doesn't want to go through the entropy pool. (The core kernel does not currently use get_random_bytes_arch() anywhere.)
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.g...
Note that the heated discussion came before v3 of Anvin's patch, and thus /dev/urandom was included. Matt's objections were perhaps not expressed very clearly, but Linus was pretty cavalier in overruling Matt Mackall (the /dev/random maintainer at that time) and I think his retort to George Spelvin's very rational objection was unreasonable:
http://thread.gmane.org/gmane.linux.kernel/1173350/focus=117...
I find it scary that these commits made it as far as they did. Note also that on the day of the leaks (ironic timing), Ts'o had to shoot down a RedHat engineer proposing to once again make get_random_bytes() bypass the kernel entropy pool.
https://lkml.org/lkml/2013/9/5/212
As for other locations, the point is to be undetectable while deployed at massive scale. Keyloggers and active backdoors are much higher risk. Great for a targeted investigation, but terrible for untargeted passive surveillance.
https://plus.google.com/u/0/117091380454742934025/posts/XeAp...
Somebody should be apologizing here, and it isn't Linus.
That being said, I have more confidence in Linus's knowledge regarding /dev/random. Mostly because XOR in this context is secure:
1. XOR is an incredibly powerful encryption algorithm (not primitive); one of the best we have. The problem with XOR is that you MUST use a UNIQUE one time pad (that is the length of the data) for every message AND you need to be able to securely transmit that one time pad. AES CTR is effectively using AES to create a one time pad for XOR encryption, as an example.
2. The prior steps are effectively creating a irrecoverable OTP meaning that any malicious intent in RRAND is effectively encrypted away.
But no, Intel made a sluggish hardware PRNG that occasionally eats some thermal bits just to make crypto guys happy -- and bang, now everybody thinks it is an NSA backdoor.
Also I don't understand why you rant against PRNGs. Do you know that this stretching of actual random data makes RDRAND considerable faster than using actual randomness?
[1]Source: http://stackoverflow.com/questions/10484164/what-is-the-late...
And I'm not ranting, I'm just crying over a lost opportunity. Nowadays you must spend time to think which PRNG to use and how to implement it to satisfy some quality/speed trade-off; an RNG (infinite cycle by design) directly connected to CPU (no transfer bottlenecks) that passes Die Hard (read random enough for science) would be a golden bullet.
Yes, PRNG makes RDRAND faster than its entropy source in its current design; but it is not hitting any wall. Intel engineers could made it way faster if they had focused on maximal throughput possible not just big enough for crypto.
I have all the respect for the guy, really, but then I read his guardian article "how to keep your data safe and secure" and mentions keeping "air gap" between computers with sensitive data but then he himself admits after all his methods and safeguards for the leaks he is working with, he uses Windows and usb-sticks to transfer (encrypted) files between them.
He uses Windows.
He uses Windows.
And he was claiming in the article that free and open source are better for security. Oh really, so your encrypted files on your usb-sticks for sure cant spread malware through your airgap through a file-system exploit? For sure it has never been done before that a file system could be used to take over an OSs internals, oh never.
Bruce Schneier can be presumed to have evaluated his risks; he's a very well known author on exactly that.
At least Linux and BSD source is viewable by people. Lots of people.
You are using sources s1, s2, s3. Then final result is combination c(s1,s2,s3). Now somebody screws up something and the sources s1 and s2 start returning just constant values. If you were just using s1 and s2 you would immediately notice this. However since you are combining all three, you are getting something that looks good but what might not be really secure if the source s3 is compromised.
(I think this came up in some HN discussion some weeks ago)
I'm not familiar with the Linux implementation so I don't know if this has any meaning there.
If the CPU did give you a RDRAND value that was pre-baked to weaken the number it thinks you're going to XOR it against it, it would be easy to detect this by feeding RDRAND the same input state repeatedly and seeing if there is a pattern to what is spit out or if it is indeed statistically random... So why hasn't someone (who thinks RDRAND is a trap) done that instead of just claiming it could maybe be doing something fishy?
To further throw you off, it could be the case that the back door is only exploitable after, say, 1kB of output, and it is "truly random" prior to that. That would be plenty useful for the NSA's purposes. It might even be that the back door is only exploitable for some part of the output, maybe the part where you are most likely to find a suitable prime number during some key generation process. Intel periodically releases new products, so the NSA would have plenty of chances to update the backdoor as software changes.
The rougue RDRAND would become active only in a CPU which the back-door has been exploited. It wouldn't be active off-the-shelf.
If this were true and you set up a repeatable test situation in which you force the other parts of the RNG to generate the same numbers prior to RDRAND and then did the RDRAND and captured the results then I don't see how one could argue RDRAND is compromised in this way if the results coming out of it over time even appear to be statistically random.
...unless people think the chip is also detecting situations where you are actively trying to fool it by setting up repeated simulations of the same initial value to be XORed, which strains credibility way beyond what I'm willing to believe.
Backdooring rdrand is of little to no interest given how PRNGs are built.
...
Oh wait, he isn't. The author of the article is just another "tech blogger" that is interested in page views. So what's more interesting an article to write: one about RDRAND, or one about how mean, naughty and rude that ignorant "Linus Torvalds" person is? The second option will generate more page views so the choice is obvious.
Since the author of the article is quick to criticize Linus and his way of expressing himself, even going so far as to, in a bullet list, sentence Linus to community service for the crime of not being as kind, understanding and tolerant a person as the author, I'm going to do the same.
Hey, article author! If I were king, here's what I would want you to do:
* Write an operating system that is used by millions of people and powers a large part of the Internet (together with BSD and friends).
* Write a distributed CVS that is also used by millions of people.
* Stop writing bullet lists about people.
* Stop trying to attract hits to your tech blog and create something of use to the human species. How about rewriting the graphics support in the kernel or something?
* Criticize what people say, not how they say it.
I'm tempted to go on, but I know that the author has no interest in neither learning nor creating anything, only criticizing other people, so anything I write is for the enjoyment of HN (in addition to mine).
> "Write an operating system that is used by millions of people and powers a large part of the Internet (together with BSD and friends)."
Linux wrote a kernel, not the full OS user land. What's more, most of the code in Linux (the kernel) isn't actually written by him - these days he's job is more that of a maintainer. Not that I'm trying to undermine his achievements - just pointing out that you're making the same exaggerated arguments as the blogger you're condemning.
> " Stop writing bullet lists about people."
You mean like the bullet list you've just written?
> "Stop trying to attract hits to your tech blog and create something of use to the human species."
Again, like you've just done. Let me explain with a little code:
($potkettleblack = $_) =~ s/tech blog/forums/;
Which would be fine if the whole premise of your argument is complaining about not what the blog said by how the blogger said it.
Don't get me wrong, I have a lot of respect for Torvalds, but your comments were -at best- hypocritical. Though I'd say they were much worse than that as at least the blog in question added some content to compliment their clickbait headline. You've not even touched on the real subject matter of this topic.
Also, what's the use of an open-source OS that is used by millions if it is shrouded in esoteric arguments? I would certainly like Linux developers to better express themselves even if _I_ can't build such a system myself.
So ridiculing him instead attacking his arguments is A-OK but he has to keep silent because Thorwalds is a great coder?
And I have to agree with you about his obvious lack of expertise in the department. Where he fails to make a compelling article is not his lack of expertise, rather the lack of interviewing many people who do have that expertise.