|↓||Skip to table of contents||↓|
|This is the talk page for discussing improvements to the RdRand article.|
|WikiProject Computing / Hardware||(Rated Start-class, High-importance)|
|WikiProject Linux||(Rated Start-class, High-importance)|
How often is the deterministic generator seeded by the non deterministic conditioner seeded by the entropy source?
In Ivy Bridge, the entropy source runs at 2.5Gbps. The conditioning ratio is 2:1, so the seeding data rate is 1.25 Gbps. Each seed is 256 bits. So the DRBG is reseeded at a maximum rate of 4.88 Million 256bit seeds per second. It will not reseed if there have been no RdRand instructions executed since the last reseed, since it will halt for power saving purposes when idle. David in oregon (talk) 20:21, 15 December 2011 (UTC)
The goal here was to create a random number generator that was compliant to published standards (specifically, SP800-90A) for cryptographically secure RNGs, not to create an ideal RNG.John
In addition, the recently announced RdSeed instruction available on future processors will provide ideal random numbers, compliant with the forthcoming SP800-90B & C specification, albeit more slowly than RdRand. RdSeed uses a CS-PRNG for speed and rate matching.220.127.116.11 (talk) 21:29, 30 November 2012 (UTC)
- There is no need for an example because the rdrand instruction on my Ivy Bridge laptop causes an illegal instruction exception. Those x86/AMD64 chips are getting so dirty and full of antiquated junk that they are hardly to be relied on any more. — Preceding unsigned comment added by 18.104.22.168 (talk) 03:18, 5 April 2014 (UTC)
This criticism is illogical and draws together unrelated facts to draw readers to an incorrect interpretation. It is stated that the Dual_EC_DRBG of SP800-90A is kleptographic, but the other three, including the CTR_DRBG are uncontroversial. RdRand is known to use the CTR_DRBG algorithm, so the kleptographic nature of the Dual_EC_DRBG is irrelevant to RdRand and it is incorrect to imply that criticism of the Dual_EC_DRBG constitute criticism of RdRand. — Preceding unsigned comment added by 22.214.171.124 (talk) 00:18, 4 October 2013 (UTC)
This: "It is impossible for software to tell whether this instruction is actually returning random numbers or whether it has been deliberately subverted, either by Intel, by a malware microcode patch, or by a virtual machine operating system. " is not a valid criticism of RdRand. It is true of all instructions. Trust in the hardware platform has to be established by means outside the running software. David in oregon (talk) 00:32, 4 October 2013 (UTC)
- RdRand is unique in that it is defined to return an unpredictable result. The results of other instructions can be tested; for example, when the floating point division instruction was producing incorrect results in some Intel chips, other instruction sequences could be used to calculate the expected result and compare it to the instruction's result to detect the failure. There is no other instruction sequence that has even a miniscule chance of predicting the expected result of RdRand. Thus, RdRand can be subverted without making the processor internally inconsistent. There is no way for software to detect this subversion, unlike many other forms of possible processor subversion. This criticism IS valid, and it is particularly relevant because of the history of many cryptosystems failing due to poor random number generation and because of NSA's documented preference to attack random number generators to make cryptosystems fail. Gnuish (talk) 07:12, 5 October 2013 (UTC)
- As a practical matter, end users are UNABLE to establish trust in a hardware platform as complex and hard to reverse-engineer as a 2013 CPU chip. Even if Intel had the best of intentions, covert manipulation of automatically generated chip masks, performed by many possible attackers in addition to NSA, cannot be ruled out. Also, because this is defined to be a platform instruction, there will be non-Intel chips that implement it. Even if Intel's are trustworthy, other implementations are not guaranteed to be, and therefore software cannot trust the randomness of the resulting numbers. Gnuish (talk) 07:12, 5 October 2013 (UTC)
- Intel's effort to produce reliably random numbers for use in software protocols is laudable, and the numbers produced are useful even if they are only somewhat random, not reliably random. The concept of reliable randomness for encryption protocols is sufficiently slippery and systemic that it cannot be achieved merely by delegating the whole matter to a single all-encompassing instruction. Gnuish (talk) 07:12, 5 October 2013 (UTC)
This: "One of the standards it relies on, NIST SP800-90, was led by an NSA employee" needs to be substantiated or deleted. SP800-90 lists Elaine Barker and John Kelsey as authors. To my knowledge they are NIST employees, not NSA employees. David in oregon (talk) 00:35, 4 October 2013 (UTC)
Should David in oregon be editing this page? He appears to be the designer of the instruction which is the subject of the Wikipedia article. I think this relationship is a little close for maintaining a Wikipedia:Neutral point of view. Gnuish (talk) 07:12, 5 October 2013 (UTC) A fair point. Perhaps someone else would care to keep the content objective. It certainly isn't right now. — Preceding unsigned comment added by David in oregon (talk • contribs) 21:12, 5 October 2013 (UTC)
- I propose delete remarks about Dual EC DRBG as I don't see relevance - DBRG is code. RdRand is IIRC a pair of chattering flipflops - there's no app for that.
- I also propose critic s/b id'd as "Linux kernel contributor" Ts'o and his remarks s/b phrased as an allegation on his part that he experienced "pressure" from Intel engrs to do that. After that the referenced link to Ts'o's G+ page may be enough, let's discuss:
- Remaining 2 issues in that paragraph are, shall we say that Mr. Ts'o cited as supporting evidence the NY Times quote? And shall we say that Ts'o favors improved ability to audit?
- If an encyclopedia includes the NY Times quote in such a context, it needs to note something like "NY Times report that casts doubt on all `chips' and `chipmakers' though not RdRand in particular" or like that.
- I'm not settled either way if an encyclopedia has reason to include Ts'o's remarks about ability to "audit" RdRand. In favor of including Ts'o's "audit" remark - one can "audit" code that extracts entropy from e.g. clock skew; I can think of other reasons in favor. Against inclusion, I have no secondary sources in support of any of those reasons in favor of inclusion; worse, lack of ability to thoroughly validate any RNG whatever is a documented criticism of all RNGs, not RdRand in particular. So if we do include "audit" we have a serious mess that we would need to talk about more - I suggest those in favor continued inclusion of "audit" remark start new head on this Talk page for that. No discussion, I vote delete, and readers can go to Ts'o's G+ site for more. Why do I think more discussion is needed to justify further inclusion of "audit" remark? I don't think Wikipedia can publish every potshot without context. If included, the article might need to also note and document that there is no adequate theory of how to validate in finite time that any RNG is truly random; that every physical entropy source has design obscurities by definition, and in practice, trade secrets; I'd expect topic of PRNG weakenesss would also arise in such a discussion. I can't cite the key references to any of that material right this moment bec. gov't sites down including NIST (I think the proximate cause for server shutdown may be, ironically, nobody to watch the firewalls during budget stalemate).
- Gnuish, to address some other issues you raise above, AFAIK physical RNGs are all without exception in some sense black boxes; discrete units, not just processor-integrated units, are also subject to those and other criticisms; moreover RdRand is extremely competitive in terms of ability to test - the chip-health tester has it's own health tester if I'm not mistaken; and a reasonable analyst can sometimes find some good things about doing security at instruction level instead of code that can be compromised - so I see David's point. Now David, the fact is security community is in a pickle right now; even setting that aside, the holes RdRand filled with 90B compliance, regrettably or not, cause holes in 90B, AIS, and METAS alike to become more visible, and whack-a-mole is the official sport in this field of endeavor; and though Gnuish isn't perfectly clear he alludes to fact that risk profiles of integrated and discrete physical RNGs are overlapping but different, meaning that there are indeed some unique risks to integrated (even if there is a man-in-the-middle risk unique to discrete that counters his argument); In that sense RdRand is a substantial technical accomplishment but is not above criticism. munge (talk) 21:18, 6 October 2013 (UTC)
- Hold the phone. In fact-checking proposed change I came across this quote from Linus Torvalds.
- We use rdrand as _one_ of many inputs into the random pool, and we use it as a way to _improve_ that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random. Really short answer: you're ignorant.
- So that seems to suggest a Controversy section would replace the Criticisms section. I propose the following two sentences:
- "Various critics<1><2> have expressed doubts about the integrity of RdRand and have implied that governments have secretly compromised the security of the instruction. Lead Linux developer Linus Torvalds responded<3> to such criticism, saying "We use rdrand as one of many inputs in to the random pool...our use of rdrand actually improves the quality of the random numbers you get" from Linux's mechanism for providing random numbers to programs that need them.
- I've never had luck with footnotes in Talk: pages so, <1> would refer to Ts'o, <2> to something related to the change.org petition that was suspended, and <3> to the article in The Register.
- munge (talk) 02:44, 10 October 2013 (UTC)
- NIST site now back up after gov't out of suspend mode. Some relevant stuff there causes me to feel we're still not there yet, and I'm grateful for a little more patience.munge (talk) 06:24, 19 October 2013 (UTC)
- I renamed the criticism section per WP:CRITICISM. Any WP:COI editors should announce themselves per usual, and make suggestions here. I moved the linked title (following MOS) to the see also, and now that the long-suspected backdoor in Dual EC DRBG has been leaked, a source linking or not linking Bullrun (decryption program) would help the above and provide appropriate WP:WEIGHT (such as ), Bull Run Mountain being a coincidence or not linking Bullrun and Bull Mountain. Widefox; talk 00:30, 2 January 2014 (UTC)