Re: Patch: cprng_fast performance - please review.

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Fri, Apr 18, 2014 at 05:00:50PM -0400, Thor Lancelot Simon wrote:
> 
> Unfortunately, the virtual machines on this laptop that I use for most
> NetBSD development don't expose the AES-NI instructions to guests, even
> when doing hardware assisted virtualization.  Not RDRAND neither, for

So, since I already brought it up: why not use a hardware RNG, like RDRAND,
for this purpose?

There's a good reason why not: since the RNG's output is meant to be
indistinguishable from a random sequence, you cannot tell whether the
hardware manufacturer has hidden something in there, then encrypted it
with a good cipher under a known key.

The victim of this attack will then obligingly expose the RNG's output
on the network for you by using it as explicit IV values!  Or "random
padding".  Or... you get the idea.  Oops.

If I were a malicious manufacturer (or designer) of cryptographic hardware
this is probably the first place I'd go if I were trying to leak key bits
or other secrets.  The victim basically can't tell you're doing it and it
gets the secret stuff right out there on the network where you can read
it right off.

So I'm *much* less worried, practically, about vulnerabilities in, say,
AES-NI than in RDRAND.

Thor