lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 05 Jul 2012 16:45:12 -0500
From:	Matt Mackall <mpm@...enic.com>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	Theodore Ts'o <tytso@....edu>,
	Linux Kernel Developers List <linux-kernel@...r.kernel.org>,
	w@....eu, ewust@...ch.edu, zakir@...ch.edu, greg@...ah.com,
	nadiah@...ucsd.edu, jhalderm@...ch.edu, tglx@...utronix.de,
	davem@...emloft.net, stable@...nel.org
Subject: Re: [PATCH 07/10] random: add new get_random_bytes_arch() function

On Thu, 2012-07-05 at 11:35 -0700, Linus Torvalds wrote:
> If Intel's rng really isn't trustworthy, they'll get a *huge* black
> eye for it. It would be a total PR disaster for Intel, so they have
> huge incentives to be trustworthy.

Just like the huge black eye that _every major US telecom company_ got
when they got caught colluding with the NSA to spy on Americans in
obvious violation of US law? You'll recall that it was such a *huge* PR
disaster... that they're all still doing it today(!), that Congress
retroactively changed the law(!), and that the whistleblower was
indicted for espionage(!).

I agree that Intel's hardware is very probably not backdoored, but
that's simply not a standard by which threats should be measured in this
field. Treating a backdoor scenario as outside the realm of possibility
based on appeals to reputation given such obvious, massive, and recent
precedent to the contrary is... not a typical security mindset, to put
it mildly.

Lastly, note that it would take a single well-placed engineer to insert
the backdoor, by just masking out some parts of the AES data path. No
collusion by Intel at a corporate level is actually even necessary.

Generating random bytes is not so performance critical that you should
trade all protection from potential threats for Gbps of throughput. 
By all means, USE the HWRNG's output, but not raw. Mix it with other
entropy sources first.

-- 
Mathematics is the supreme nostalgia of our time.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists