On Wed, Jul 26, 2017 at 1:57 PM, Martin Rex <m...@sap.com> wrote: > > Through the 10x compression of the RDRAND output, which will provably > create an incredibly huge amount of collisions, the attacker will be > unable to identify any particular output values of RDRAND. > > Your conceived attack could only work under the condition that > 10 RDRAND consecutive outputs are always fully deterministic, and > that also the seed used by RDRAND will be fully deterministic to > the attacker -- or can otherwise be learned out-of-band by the attacker > -- while at the same time this property will remain invisible to > all external randomness tests. >
I think this is pretty easy for some conceivable attacks. Suppose that your adversary makes RDRAND a DRBG seeded with wall-clock time and device-ID. That's going to produce deterministic output, but it will pass all of the tests and appear to be random. If the attacker knows your device-ID, or even just a range of possible device-IDs, they can confirm via a match. The 10x compression would just make them do a bit more work. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
