
Intel In Bed with NSA? - lifeguard
http://cryptome.org/2013/07/intel-bed-nsa.htm
======
comex
It is really, really hard for me to see this as anything other than utter
paranoia. As one of the messages in the thread stated:

> Right. How exactly would you backdoor an RNG so (a) it could be effectively
> used by the NSA when they needed it (e.g. to recover Tor keys), (b) not
> affect the security of massive amounts of infrastructure, and (c) be so
> totally undetectable that there'd be no risk of it causing a s __tstorm that
> makes the $0.5B FDIV bug seem like small change (not to mention the legal
> issues, since this one would have been inserted deliberately, so we 're
> probably talking bet-the-company amounts of liability there).

~~~
lifeguard
Well, it is documented that the NSA made DES weaker by using less bits for key
size (this makes brute forcing easier). I aslo noted that Schiener's AES
submission was passed over (I speculate that Rijndael is easier to brute
force).

The feds used to fight civilian crypto tooth and nail. Then they allowed it,
and in one of the crypto books a story was related that the feds were bummed
about RSA and friends. The listener questioned why, when surely their efforts
were feeble compared to the government's. The response was the pace of
development was much faster than expected.

~~~
barbs
> _The feds used to fight civilian crypto tooth and nail._

Curious. I'd like to read about this. Can anyone post any links?

~~~
IvyMike
Read up on the Clipper chip: A chip which sort of being promoted to be the
"official" way to do crypto in the US. Specifically designed to be decryptable
by the NSA via "key escrow".

[https://en.wikipedia.org/wiki/Clipper_chip](https://en.wikipedia.org/wiki/Clipper_chip)

It died when Matt Blaze figured out a way to trick the clipper chip doing
encryption that the NSA could NOT decrypt.

~~~
rozap
" Then-Senators John Ashcroft and John Kerry were opponents of the Clipper
chip proposal, arguing in favor of the individual's right to encrypt messages
and export encryption software."

Wow. What happened?

------
__alexs
The comments about RdRand being impossible to verify because it's on-chip seem
quite reasonable. (Although Intel have tried to be quite open about how it
works.
[https://sites.google.com/site/intelrdrand/references](https://sites.google.com/site/intelrdrand/references))

I have no idea if RdRand is the _only_ source of entropy for /dev/urandom in
the kernel these days but that does seem quite silly. Especially as RdRand is
documented as having two error conditions, not enough entropy, and that the
hardware appears to be broken.

In any case, here's the LKML thread where it was merged too
[http://thread.gmane.org/gmane.linux.kernel/1173350](http://thread.gmane.org/gmane.linux.kernel/1173350)

~~~
obituary_latte
>I have no idea if RdRand is the only source of entropy for /dev/urandom in
the kernel these days but that does seem quite silly

If I understand correctly, the idea is to use RdRand to feed the entropy pool
(which is also fed by other noise)[1] from which urandom pulls. So it doesn't
seem RdRand would be the sole source of entropy if it were to be used in this
context.

[1][http://linux.die.net/man/4/urandom](http://linux.die.net/man/4/urandom)

~~~
justincormack
Most servers do not have any serious source of randomness (unless you buy
another hardware RNG) which is partly why these were introduced (Intel used to
have a motherboard RNG, and VIA had on CPU ones years back).

You can buy one of these
[http://www.entropykey.co.uk/](http://www.entropykey.co.uk/) which are
unlikely to be NSA "certified" instead.

------
adr_
If the NSA is working with Intel, they're not going to bother with an RNG...
The processor is the most trusted part of the computer security model - why
would you choose bad random numbers as your attack vector?

Relevant talk: Hardware Backdooring is Practical - Jonathan Brossard
[https://www.youtube.com/watch?v=j9Fw8jwG07g](https://www.youtube.com/watch?v=j9Fw8jwG07g)

------
starmole
This issue just does not pass the rubber hose test. If the NSA wanted and got
a backdoor in intel chips there are so many better ways to do it than
introducing a bad hw rng. If you wanted one exploit in the chip, why would you
pick a hard to exploit one and user controlled one on top of that? It's
classic paranoid thinking: People have a choice to use the hw rng or not. So
it becomes a big deal. All the while not addressing the non-choice issue like
having a potential backdoor triggered by a specific instruction sequence.

~~~
fauigerzigerk
It also needs to be hard to detect and relevant specifically for crypto
operations. So where would you put a backdoor on a chipset?

------
adventured
It's safe to assume every core technology company has been compelled to be in
bed with the NSA in _some_ form or another. Intel has been anti-trust managed
by the government for nearly two decades. Getting access to the monopoly
desktop / laptop processor maker would be far too rich a target to ignore.

~~~
zanny
This is why I show preference towards AMD chips even when they have the
competitive disadvantage. Any sufficiently large company ends up, through
their will or the gov'ts, wrapped up in politics. Which is the one of the
larger issues of our age.

~~~
humanspecies
AMD is probably cooperating with the government on the same level as Intel.

~~~
zanny
Any company with over 1k employees probably is. I'm just saying if there are
any systemic backdoors in Intel chips, AMD probably doesn't have them because
they are 5 - 10% of the market and the gov't doesn't care to jump through
hoops to get them implementing whatever backdoor they want.

------
stfu
Would appreciate some sort of a summary. Reading some mile long email exchange
just to figure out what the headline is really about makes it kinda tricky.

~~~
mpyne
I read the whole thing, but few here would truly feel that my summary of
'paranoia. paranoia everywhere' is not a government plant.

The core concern seems to be the idea that an RNG embedded into Intel's latest
kit might actually be a PRNG that could be backdoored by NSA on command
somehow with resultant catastrophic effects to crypto primitives on that box,
if the Intel RNG were the only source of entropy on the box.

~~~
ontoillogical
Uh, RdRand is definitely a pseudo random number generator. The question is
about whether it's cryptographically secure or not, or more specifically,
whether it can be or is backdoored.

------
spindritf
I upvoted but the current title ("Is Linus Tovalds 'evil'?") is downright
horrible and I hope a mod will revert it to the original one soon.

~~~
lifeguard
Linus is (was?) one of my living heroes. But he controls the Linux kernel.

FTA:

"It's worth noting that the maintainer of record (me) for the Linux RNG quit
the project about two years ago precisely because Linus decided to include a
patch from Intel to allow their unauditable RdRand to bypass the entropy pool
over my strenuous objections. " \-- Eugen* Leitl

Linus has close ties to Intel and has for a long time.

~~~
zdw
Yeah, like when he worked for Transmeta, and that stint in the mid 200x's
where a PowerPC64 was his main machine?

He may have a lot of Intel connections, but he doesn't seem to be committed to
any specific vendor.

------
lucb1e
Submitted a question here:
[http://crypto.stackexchange.com/q/9210/2512](http://crypto.stackexchange.com/q/9210/2512)

Feel free to edit the question if you have anything to add!

------
gmuslera
Hanlon's razor help in this kind of discussions. Maybe when Linus took that
option didn't saw Intel as something that would intentionally make predictable
its RNG for following government orders, and just choose to not reimplement
the wheel where it was already available.

Would he take another option since last month? Maybe in the light of this he
could take back that choice.

~~~
gizmo686
Linus does not have the option to reimplement the wheel. Software cannot
generate random numbers.

~~~
skore
> Software cannot generate random numbers.

Can hardware? [0]

[0]
[http://en.wikipedia.org/wiki/Hardware_random_number_generato...](http://en.wikipedia.org/wiki/Hardware_random_number_generator#Problems)

------
VMG
Intersting discussion, but incredibly bad title.

~~~
lifeguard
I was trying to be concise. I also put quotes around evil.

~~~
sounds
Looks like it has been flagged, and is now dead. Too bad...

------
3327
This is nothing more than speculative emails.

------
mr_spothawk
Did anybody look @ [http://leitl.org/](http://leitl.org/)

This email could just as easily be the musings of an insane person, which is
what's suggested by the contents of the website.

------
tomphoolery
The thing that the thread about is kinda interesting, too.
[https://heml.is/](https://heml.is/)

------
rooster8
One reason it would be a poor decision for the NSA to recommend Intel backdoor
the RNG: Intel would be in a position to sell/leak the backdoor secret to
other governments.

The NSA would have no way of blocking it from being used to attack the US. And
you can't roll out a hotfix for billions of CPUs worldwide.

------
jvreeland
Doesn't the NSA end up using these machines as well? It seems like a lot of
work to introduce a flaw that you have work around for you own use later. And
if it's a hardware flawu, I doubt even the NSA could demand intel or amd
manyfacture seperate batches for their own use.

