<div dir="ltr">Instead of assuming, you should've used Google ;-)<div><br></div><div style>To my (limited, I'm far from a crypto expert) understanding, Intel of course also seeds the PRNG with a true random number generator, and it complies NIST standard for randomness.</div>
<div style><br></div><div style><a href="http://software.intel.com/en-us/blogs/2012/11/17/the-difference-between-rdrand-and-rdseed">http://software.intel.com/en-us/blogs/2012/11/17/the-difference-between-rdrand-and-rdseed</a><br>
</div><div style><br></div><div style>I think what Ts'o was meaning, is that you fear NSA told Intel to lie and give non-random numbers that looks like random numbers (for which a trivial implementation is to encrypt a counter with a key known only to the NSA and Intel).</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 3, 2013 at 11:57 AM, Oleg Goldshmidt <span dir="ltr"><<a href="mailto:pub@goldshmidt.org" target="_blank">pub@goldshmidt.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Thu, Jan 3, <a href="tel:2013" value="+9722013">2013</a> at 10:53 AM, Baruch Siach <<a href="mailto:baruch@tkos.co.il">baruch@tkos.co.il</a>> wrote:<br>
> Hi Oleg,<br>
><br>
> On Sun, Dec 30, <a href="tel:2012" value="+9722012">2012</a> at 10:40:31AM +0200, Oleg Goldshmidt wrote:<br>
>> On Sun, Dec 30, <a href="tel:2012" value="+9722012">2012</a> at 8:46 AM, shimi <<a href="mailto:linux-il@shimi.net">linux-il@shimi.net</a>> wrote:<br>
>> > I really don't think so. SSDs (IMHO) makes computer much faster due to the<br>
>> > VERY low seek time - the time it takes you to get a block. Compare 10-20ms<br>
>> > with ~0.1ms. A regular hard drive simply wastes a lost of time seeking the<br>
>> > data, instead of... reading it :)<br>
>><br>
>> Absolutely correct. However, there is a tiny fraction of the seek time<br>
>> that is not always a waste, and I think it is worth mentioning. There<br>
>> is, I believe, a consideration that is usually overlooked when SSDs<br>
>> are considered for server use, including a "desktop" that is used as a<br>
>> server, which is why I am mentioning it here. In a server, magnetic<br>
>> disk rotation - or, rather the air turbulence generated between the<br>
>> rotating disk and its enclosure - is the only source of entropy that<br>
>> makes random numbers random (seek times have a tiny random component<br>
>> due to the turbulence, and it is captured). This does not apply to<br>
>> SSDs, and as a result your security may be compromised (attacks<br>
>> exploiting not very random RNGs are well known).<br>
><br>
> Recent Intel CPUs introduced the RDRAND instruction that is essentially a<br>
> Random Number Generator. Recent kernels (v3.2 and later) added support for<br>
> this instruction. See <a href="http://git.kernel.org/linus/628c6246d4" target="_blank">http://git.kernel.org/linus/628c6246d4</a>. See also the<br>
> related commit (from v3.6) at <a href="http://git.kernel.org/linus/c2557a303" target="_blank">http://git.kernel.org/linus/c2557a303</a> (and note<br>
> the funny commit log).<br>
><br>
> These patches were backported to all supported stable kernel trees (back to<br>
> v2.6.32).<br>
<br>
</div></div>Note that the commit log (and Ted Ts'o really knows what he is talking<br>
about) makes an important point, and I'll add one of my own.<br>
<br>
1) Always use /dev/random even if a HW RNG is available. /dev/random<br>
is where the disk-generated entropy ends up. If /dev/random is not<br>
there you are in trouble.<br>
<br>
2) I would not only be worried about an NSA backdoor in Intel CPUs,<br>
but also about the degree of randomness of their generator. If it is<br>
flawed (and it is notoriously difficult to do a really good PRNG - I<br>
assume it is a PRNG, otherwise Ted would not be worried about NSA<br>
backdoor) you will have no fix path. A PRNG needs a truly random seed<br>
at least, which is where /dev/random comes in.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Oleg Goldshmidt | <a href="mailto:pub@goldshmidt.org">pub@goldshmidt.org</a><br>
</font></span><div class="HOEnZb"><div class="h5"><br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</div></div></blockquote></div><br></div>