RDRAND

RdRand (also RDRAND) is an instruction for returning random numbers from an on-chip random number generator.^[1] RdRand is available in Ivy Bridge processors^{[note 1]} and is part of the Intel 64 and IA-32 instruction set architectures. The random number generator is compliant with security and cryptographic standards such as NIST SP800-90,^[3] FIPS 140-2, and ANSI X9.82.^[1]

The CPUID instruction can be used to check whether the CPU supports the RDRAND instruction. If supported, bit 30 of the ECX register is set after calling CPUID standard function 01H.^[4]

The opcode for RDRAND is 0x0F 0xC7, followed by a ModRM byte that specifies the destination register and optionally combined with a REX prefix in 64 bit mode.^[5]

Intel Secure Key is Intel's code name for both the RdRand instruction and the underlying random number generator (RNG) hardware implementation.^[1] Intel calls their RNG a "digital random number generator". The generator uses an on-processor entropy source, which passes the randomly generated bits to an AES (in CBC-MAC mode) conditioner to distill the entropy into non-deterministic random numbers. A deterministic random-bit generator is seeded by the output from the conditioner, providing cryptographically secure random numbers to applications requesting them via the RdRand instruction.^[1][6]

Criticisms

One of the standards it relies on, NIST SP800-90 contains four random number generators. The random number generators with the names CTR_DRBG (used by RdRand), Hash_DRBG, and HMAC_DRBG^[3] are made of uncontroversial cryptographic primitives used in an uncontroversial manner, but the remaining one, Dual_EC_DRBG, is known to be kleptographic. ^[7]However the RdRand implementation does not use the Dual_EC_DRBG algorithm. Theodore Ts'o publicly stated, "I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction. To quote from the article below: 'By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors....' Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea."^[8]

Notes

1. In some Ivy Bridge versions, due to a bug, the RdRand instruction causes an Illegal Instruction exception.^[2]

References

1. "Intel Digital Random Number Generator (DRNG): Software Implementation Guide, Revision 1.1" (PDF). Intel Corporation. 2012-08-07. Retrieved 2012-11-25.
2. Desktop 3rd Generation Intel® Core™ Processor Family, Specification Update (PDF). Intel Corporation. January 2013.
3. Barker, Elaine; Kelsey, John (2012). "Recommendation for Random Number Generation Using Deterministic Random Bit Generators" (PDF). National Institute of Standards and Technology. Retrieved September 16, 2013. {{cite web}}: Unknown parameter |month= ignored (help)
4. "Volume 1, Section 7.3.17, 'Random Number Generator Instruction'" (PDF). Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C. Intel Corporation. 2013. p. 177. Retrieved 24 June 2013. All Intel processors that support the RDRAND instruction indicate the availability of the RDRAND instruction via reporting CPUID.01H:ECX.RDRAND[bit 30] = 1 {{cite web}}: Unknown parameter |month= ignored (help)
5. http://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide
6. Taylor, Greg; Cox, George (2011). "Behind Intel's New Random-Number Generator". IEEE Spectrum. {{cite journal}}: Unknown parameter |month= ignored (help)
7. Bruce Schneier (November 15, 2007). "Did NSA Put a Secret Backdoor in New Encryption Standard?". Wired.
8. September 6, 2013 Google Plus posting by Theodore Ts'o