undefined | Better HN

0 pointsars11y ago0 comments

You oversell the "in practice" part. That is not in the slightest possible in practice.

His writeup assumes the attacker knows everything about the way the random stream is generated. But a mass market CPU would not be able to do that.

0 comments

2 comments · 1 top-level

TheLoneWolfling11y ago· 1 in thread

It doesn't need to.

Even a simple "replace a RNG xor a register with <backdoored RNG>" in the microcode would catch almost everything. And remember - microcode updates happen all the time, and are not open. It's entirely possible that the microcode is updated in response to the type of RNG verification - in other words, with the attacker knowing everything about the way the random stream is generated, as you say.

arsOP11y ago

I was not able to parse your sentence in quotes, so I can not reply to it.

It seems like you think the random stream is generated mathematically. It's not, it's based on various timing events, mouse movements, keyboard, etc. A mass market CPU would not be able to handle any of that.

You could always get the CPU random number first, then the external randomness - it would have to predict the future to do anything about it.

> the microcode is updated in response to the type of RNG verification

Hu? I don't understand what you mean. What RNG verification? You would have to tune to the microcode to the specific version and settings of the OS getting the random data, including which hardware was attached.

You massively underestimate how hard this would be. Yes, perhaps the NSA could do it for a single well known adversary - maybe - I doubt it, but maybe. But it would certainly be impossible in mass.

j / k navigate · click thread line to collapse