Technical Feasibility of Decrypting HTTPS by Replacing the Computer’s Pseudorandom Number Generator
July 15th, 2013Via: Stack Exchange:
Intel has an on-chip RdRand function which supposedly bypasses the normally used entropy pool for /dev/urandom and directly injects output. Now rumors are going on that Intel works together with the NSA… and knowing that PRNGs are important for cryptography is enough to get this news spreading.
I personally don’t believe this is true, so this is entirely hypothetical: Let’s assume that indeed RdRand does what news says it does and that it indeed outputs randomness into a place where applications and libraries would look for cryptographically secure randomness.
How feasible is it that the chip’s manufacturer can predict the output of this PRNG when it passed tests from the people applying the use of this RdRand instruction in kernels?
If the chip’s manufacturer can predict the output of the PRNG to some extent, how feasible is it that they can decrypt any https traffic between two systems using their chips? (Or anything else requiring randomness, https is only an example.)
My reason for asking: http://cryptome.org/2013/07/intel-bed-nsa.htm
As said, I don’t believe everything written here, but I find it very interesting to discuss the possibility technically.
The ZR-1 Corvette came with a lockable “valet switch” on the dash that detuned the engine computer 200 horsepower. Most people wouldn’t have a clue that 30% of the car’s power was locked out “FOR THEIR OWN GOOD.”
Presuming that the NSA and INTEL have a working partnership is a no-brainer: many years ago, Intel built a “mind boggling” motherboard with 200 early Pentium chips to use in nuclear weapons research. Clearly, strange bedfellows they ALL are. How they accomplish their voodoo is beyond me other than I did wire up a three-way switch in my kitchen and discovered that there is more than one way to get it done in the magic behind the drywall.
Back around 2000, I worked with a programmer who had previously worked at what was then called Racal. We discussed encryption a bit.
Long story short:
Are you sure that your compiler is faithfully compiling ALL of your algorithms—Especially the ones related to PRNG, entropy, encryption?
I said, “With proprietary compilers, who knows??? But what about open source compilers, GCC, etc.?”
He laughed and shot back something similar to, “Sure, how about the CPU? What if your 4096bit key actually contains only 8 bits worth of entropy because of some ‘black box’ on the chip? I’m not saying that I know that’s happening, but I can’t say that I know that it’s not happening, either. Let’s just say that I have a reason to wonder about it.” And he wouldn’t say anymore about it.
We grinned worryingly at each other for a few seconds and then went for lunch at the cheap Chinese food place at the food court.
Still, I think that somewhere, there has to be a dude with a long enough pony tail, a big enough beer gut and enough propellers in his beanie cap to be able to reverse engineer the binaries and determine, for sure, that crypto widgets are actually compiling the way people think they should be.