Advertisement

A Provable-Security Analysis of Intel’s Secure Key RNG

  • Thomas ShrimptonEmail author
  • R. Seth Terashima
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9056)

Abstract

We provide the first provable-security analysis of the Intel Secure Key hardware RNG (ISK-RNG), versions of which have appeared in Intel processors since late 2011. To model the ISK-RNG, we generalize the PRNG-with-inputs primitive, introduced by Dodis et al. at CCS’13 for their /dev/[u]random analysis. The concrete security bounds we uncover tell a mixed story. We find that ISK-RNG lacks backward-security altogether, and that the forward-security bound for the “truly random” bits fetched by the \(\mathtt {RDSEED}\) instruction is potentially worrisome. On the other hand, we are able to prove stronger forward-security bounds for the pseudorandom bits fetched by the \(\mathtt {RDRAND}\) instruction. En route to these results, our main technical efforts focus on the way in which ISK-RNG employs CBCMAC as an entropy extractor.

Keywords

Random number generator Entropy extraction Provable security 

References

  1. 1.
    Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 203–212. ACM (2005)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  3. 3.
    Chevassut, O., Fouque, P.-A., Gaudry, P., Pointcheval, D.: The Twist-AUgmented Technique for Key Exchange. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 410–426. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  4. 4.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  5. 5.
    Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 647–658. ACM (2013)Google Scholar
  6. 6.
    Everspaugh, A., Zhai, Y., Jellinek, R., Ristenpart, T., Swift, M.: Not-so-random numbers in virtualized Linux and the Whirlwind RNG. In: IEEE Symposium on Security And Privacy (2014)Google Scholar
  7. 7.
    Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the Linux random number generator. In: 2006 IEEE Symposium on Security and Privacy, p. 15. IEEE (2006)Google Scholar
  8. 8.
    Hamburg, M., Kocher, P., Marson, M.E.: Analysis of Intel’s Ivy Bridge digital random number generator (2012). http://www.cryptography.com/public/pdf/Intel_TRN G_Report_20120312. pdf
  9. 9.
    Heninger, N., Durumeric, Z., Wustrow, E., Alex Halderman, J.: Mining your ps and qs: Detection of widespread weak keys in network devices. In: USENIX Security Symposium, pp. 205–220 (2012)Google Scholar
  10. 10.
    Hofemeier, G.: Intel Digital Random Number Generator (DRNG) software implementation guide (August 2012). https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide (accessed May 2014)
  11. 11.
    Hofemeier, G., Chesebrough, R.: Introduction to Intel AES-NI and Intel Secure Key instructions (July 2012). https://software.intel.com/en-us/articles/introduction-to-intel-aes-ni-and-intel-secure-key-instructions (accessed May 2014)
  12. 12.
    JD Johnston (Intel). Personal communication (May 2014)Google Scholar
  13. 13.
    Lacharme, P., Röck, A., Strubel, V., Videau, M.: The Linux pseudorandom number generator revisited. IACR Cryptology ePrint Archive 2012, 251 (2012)Google Scholar
  14. 14.
    Mechalas, J.: The difference between RDRAND and RDSEED (November 2012). https://software.intel.com/en-us/blogs/2012/11/17/the-difference-between-rdrand-and-rdseed (accessed April 2014)
  15. 15.
    Radhakrishnan, J., Ta-Shma, A.: Bounds for dispersers, extractors, and depth-two superconcentrators. SIAM Journal on Discrete Mathematics 13(1), 2–24 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    Shrimpton, T., Seth Terashima, R.: A provable security analysis of Intel’s Secure Key RNG. Cryptology ePrint Archive, Report 2014/504 (2014). http://eprint.iacr.org/
  17. 17.
    Walker, J.: Conceptual foundations of the Ivy Bridge random number generator. http://www.ists.dartmouth.edu/docs/walker_ivy-bridge.pdf (November 2011)

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Department of Computer SciencePortland State UniversityPortlandUSA

Personalised recommendations