RdRand
RDRAND
(previously known as Bull Mountain[1]) is an instruction for returning random numbers from an Intel on-chip hardware random number generator.[2] RDRAND
is available in Ivy Bridge processors[lower-alpha 1] and is part of the Intel 64 and IA-32 instruction set architectures. AMD added support for the instruction in June 2015.[4]
The random number generator is compliant with security and cryptographic standards such as NIST SP 800-90A,[5] FIPS 140-2, and ANSI X9.82.[2] Intel also requested Cryptography Research Inc. to review the random number generator in 1999 and 2012, which resulted in two published papers: The Intel Random Number Generator in 1999,[6] and Analysis of Intel's Ivy Bridge Digital Random Number Generator in 2012.[7]
RDSEED
is similar to RDRAND
and suitable for producing seed material. The RDSEED
generator and processor instruction rdseed
are available with Intel Broadwell CPUs[8] and AMD Zen CPUs.[9]
Overview
The CPUID
instruction can be used to check whether the central processing unit (CPU) supports the RDRAND
instruction on both AMD and Intel CPUs. If supported, bit 30 of the ECX register is set after calling CPUID standard function 01H
.[10] AMD processors are checked for the feature using the same test.[11] RDSEED
availability can be checked on Intel CPUs in a similar manner. If RDSEED
is supported, the bit 18 of the EBX register is set after calling CPUID standard function 07H
.
.[12]
The opcode for RDRAND
is 0x0F 0xC7
, followed by a ModRM byte that specifies the destination register and optionally combined with a REX prefix in 64 bit mode.[13]
Intel Secure Key is Intel's name for both the RDRAND
instruction and the underlying random number generator (RNG) hardware implementation,[2] which was codenamed "Bull Mountain" during development.[14] Intel calls their RNG a "digital random number generator". The generator uses an on-processor entropy source, which passes the randomly generated bits to an Advanced Encryption Standard (AES) (in CBC-MAC mode) conditioner to distill the entropy into non-deterministic random numbers. A deterministic random-bit generator is seeded by the output from the conditioner, providing cryptographically secure random numbers to applications requesting them via the RDRAND
instruction.[2][14]
Intel states that RdRand employs the NIST SP800-90 standard, which specifies four random number generators: CTR DRBG (used by RDRAND
), Hash DRBG, HMAC DRBG,[5] and Dual_EC_DRBG. The latter is alleged to be kleptographic.[15] However, Intel states that RDRAND
uses only CTR_DRBG.
The RDSEED
instruction was added to Intel Secure Key for seeding another pseudorandom number generator,[16] available in Broadwell CPUs. The entropy source for the RDSEED
instruction runs asynchronously on a self-timed circuit and uses thermal noise within the silicon to output a random stream of bits at the rate of 3 GHz.[17] The two instructions may appear to have similar functions. However, the RDSEED
instruction is intended for seeding a software PRNG of arbitrary width, whereas the RDRAND
is intended for applications that merely require high-quality random numbers.
Reception
In September 2013, in response to a New York Times article revealing the NSA's effort to weaken encryption, Theodore Ts'o publicly posted concerning the use of RdRand for /dev/random in the Linux kernel:[18]
I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction. To quote from the article below: 'By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors....' Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea.
Linus Torvalds dismissed concerns about the use of RdRand in the Linux kernel, and pointed out that it is not used as the only source of entropy for /dev/random, but rather used to improve the entropy by combining the values received from RdRand with other sources of randomness.[19][20] However, Taylor Hornby of Defuse Security demonstrated that the Linux random number generator could become insecure if a backdoor is introduced into the RdRand instruction that specifically targets the code using it. Taylor's proof-of-concept implementation works on an unmodified Linux kernel.[21][22][23]
Developers changed the FreeBSD kernel away from using RdRand and VIA PadLock directly with the comment "For [FreeBSD] 10, we are going to backtrack and remove RDRAND and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/random. It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more"[19][24]
See also
Notes
References
- ↑ Hofemeier, Gael (2011-06-22). "Find out about Intel's new RdRand Instruction.". Intel Developer Zone Blogs. Retrieved December 2013.
- 1 2 3 4 "Intel Digital Random Number Generator (DRNG): Software Implementation Guide, Revision 1.1" (PDF). Intel Corporation. 2012-08-07. Retrieved 2012-11-25.
- ↑ Desktop 3rd Generation Intel Core Processor Family, Specification Update (PDF). Intel Corporation. January 2013.
- ↑ "AMD64 Architecture Programmer’s Manual Volume 3: General-Purpose and System Instructions" (PDF). AMD Developer Guides, Manuals & ISA Documents. June 2015. Retrieved 16 October 2015.
- 1 2 Barker, Elaine; Kelsey, John (January 2012). "Recommendation for Random Number Generation Using Deterministic Random Bit Generators" (PDF). National Institute of Standards and Technology. Retrieved September 16, 2013.
- ↑ Jun, Benjamin; Kocher, Paul (1999-04-22). "The Intel Random Number Generator" (PDF). Cryptography Research, Inc. Retrieved 2015-08-21.
- ↑ Hamburg, Mike; Kocher, Paul; Marson, Mark (2012-03-12). "Analysis of Intel's Ivy Bridge Digital Random Number Generator" (PDF). Cryptography Research, Inc. Retrieved 2015-08-21.
- ↑ Hofemeier, Gael (2012-07-26). "Introduction to Intel AES-NI and Intel SecureKey Instructions". Intel Developer Zone. Intel. Retrieved 2015-10-24.
- ↑ "AMD Starts Linux Enablement On Next-Gen "Zen" Architecture - Phoronix". www.phoronix.com. Retrieved 2015-10-25.
- ↑ "Volume 1, Section 7.3.17, 'Random Number Generator Instruction'" (PDF). Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C. Intel Corporation. June 2013. p. 177. Retrieved 24 June 2013.
All Intel processors that support the RDRAND instruction indicate the availability of the RDRAND instruction via reporting CPUID.01H:ECX.RDRAND[bit 30] = 1
- ↑ "AMD64 Architecture Programmer’s Manual Volume 3: General-Purpose and System Instructions" (PDF). AMD. June 2015. p. 278. Retrieved 15 October 2015.
Support for the RDRAND instruction is optional. On processors that support the instruction, CPUID Fn0000_0001_ECX[RDRAND] = 1
- ↑ "Volume 1, Section 7.3.17, 'Random Number Generator Instruction'" (PDF). Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B and 3C. Intel Corporation. June 2013. p. 177. Retrieved 25 October 2015.
All Intel processors that support the RDSEED instruction indicate the availability of the RDSEED instruction via reporting CPUID.(EAX=07H, ECX=0H):EBX.RDSEED[bit 18] = 1
- ↑ "Intel® Digital Random Number Generator (DRNG) Software Implementation Guide | Intel® Developer Zone". Software.intel.com. Retrieved 2014-01-30.
- 1 2 Taylor, Greg; Cox, George (September 2011). "Behind Intel's New Random-Number Generator". IEEE Spectrum.
- ↑ Bruce Schneier (November 15, 2007). "Did NSA Put a Secret Backdoor in New Encryption Standard?". Wired.
- ↑ John Mechalas (November 2012). "The Difference Between RDRAND and RDSEED". software.intel.com. Intel Corporation. Retrieved 1 January 2014.
- ↑ Mechalas, John. "Intel Digital Random Number Generator (DRNG) Software Implementation Guide, Section 3.2.1 Entropy Source (ES)". https://software.intel.com. Intel. Retrieved 18 February 2015. External link in
|website=
(help) - ↑ Ts'o, Theodore (September 6, 2013). "I am so glad I resisted pressure from Intel engineers to let /dev/random rely...".
- 1 2 Richard Chirgwin (2013-12-09). "FreeBSD abandoning hardware randomness". The Register.
- ↑ Gavin Clarke (10 September 2013). "Torvalds shoots down call to yank 'backdoored' Intel RdRand in Linux crypto". theregister.co.uk. Retrieved 12 March 2014.
- ↑ Taylor Hornby (6 December 2013). "RDRAND backdoor proof of concept is working! Stock kernel (3.8.13), only the RDRAND instruction is modified.". Retrieved 9 April 2015.
- ↑ Taylor Hornby [DefuseSec] (10 September 2013). "I wrote a short dialogue explaining why Linux's use of RDRAND is problematic. http://pastebin.com/A07q3nL3 /cc @kaepora @voodooKobra" (Tweet). Retrieved 11 January 2016.
- ↑ Daniel J. Bernstein; Tanja Lange (16 May 2014). "Randomness generation" (PDF). Retrieved 9 April 2015.
- ↑ "FreeBSD Quarterly Status Report". Freebsd.org. Retrieved 2014-01-30.