Hi there! We're updating our Terms of Service and Privacy Policy. Learn more.

Linus Torvalds responds:

Linus Torvalds

Where do I start a petition to raise the IQ and kernel knowledge of people?

Guys, go read drivers/char/random.c. Then, learn about cryptography. Finally, come back here and admit to the world that you were wrong.

Short answer: we actually know what we are doing. You don't.

Long answer: we use rdrand as _one_ of many inputs into the random pool, and we use it as a way to _improve_ that random pool. So even if rdrand were to be back-doored by the NSA, our use of rdrand actually improves the quality of the random numbers you get from /dev/random.

Really short answer: you're ignorant.


Posted on September 09, 2013
Discussion
  • Dale Emmons MADISON, WI
    • over 1 year ago

    Actually a CPU doesn't even need to be particularly smart if it can work together with a backdoored hypervisor. A CPU merely needs to throw an exception on RDRAND and let a malicious hypervisor emulate the call (with full access to the stack). Totally undetectable from the perspective of the guest OS, and the CPU behavior could be triggered remotely.

    Again, the possibility of undetectable tampering can be eliminated while still using RDRAND by mixing it in before the SHA, at no extra cost. It worries me that nobody wants to do that.

    REPORT THIS COMMENT:
  • Brad Peabody LOS ANGELES, CA
    • over 1 year ago

    (Correction, sorry - not return value - the values written to "out".)

    REPORT THIS COMMENT:
  • Brad Peabody LOS ANGELES, CA
    • over 1 year ago

    @Dale Sure - you do have a point. But if the CPU is literally reading the state of the RNG out of the stack of this function, could it not just modify the return value of the function anyway? Surely it could. Which is why I'm saying if the attack is that sophisticated, we're basically already screwed.

    REPORT THIS COMMENT:
  • Dale Emmons MADISON, WI
    • over 1 year ago

    Brad -

    It doesn't need to know that much about the state of the RNG, only the next 10 words. Besides, my point is why even make it a possibility if the XOR can be applied to some or all of 'extract' before the SHA/fold? The cost is virtually the same and it eliminates this kind of attack, far-fetched as it may seem.

    REPORT THIS COMMENT:
  • Brad Peabody LOS ANGELES, CA
    • over 1 year ago

    The point being made by Taylor is that rdrand could be "smart" enough to understand the state of the rest of the random number generator (which would require reading various state information from a combination of CPU cache, registers or memory) and use that to intentionally spoil the output of the function. This is a no-issue. If that is the case and the CPU is being tampered with in such a way as to perform this kind of sophisticated attack, then why does one xor even matter? As he points out already: "This is the CPU, remember. It can pretty much do anything it wants."

    Changing the number generation to exclude rdrand isn't going to improve security.

    So while I disagree with Linus' necessity of vehemently insulting people, he is right, and he does know what he is doing.

    REPORT THIS COMMENT: