RdRand

RdRand (also RDRAND; previously known as Bull Mountain^[1]) is an instruction for returning random numbers from an Intel on-chip hardware random number generator.^[2] RdRand is available in Ivy Bridge processors^{[lower-alpha 1]} and is part of the Intel 64 and IA-32 instruction set architectures. The random number generator is compliant with security and cryptographic standards such as NIST SP 800-90A,^[4] FIPS 140-2, and ANSI X9.82.^[2]

Overview

The CPUID instruction can be used to check whether the central processing unit (CPU) supports the RDRAND instruction. If supported, bit 30 of the ECX register is set after calling CPUID standard function 01H.^[5]

The opcode for RDRAND is 0x0F 0xC7, followed by a ModRM byte that specifies the destination register and optionally combined with a REX prefix in 64 bit mode.^[6]

Intel Secure Key is Intel's code name for both the RdRand instruction and the underlying random number generator (RNG) hardware implementation.^[2] Intel calls their RNG a "digital random number generator". The generator uses an on-processor entropy source, which passes the randomly generated bits to an Advanced Encryption Standard (AES) (in CBC-MAC mode) conditioner to distill the entropy into non-deterministic random numbers. A deterministic random-bit generator is seeded by the output from the conditioner, providing cryptographically secure random numbers to applications requesting them via the RdRand instruction.^[2][7]

Intel states that RdRand employs the NIST SP800-90 standard, which specifies four random number generators: CTR DRBG (used by RdRand), Hash DRBG, HMAC DRBG,^[4] and Dual_EC_DRBG. The latter is alleged to be kleptographic.^[8] However, Intel states that RdRand only uses CTR_DRBG.

The RDSEED instruction was added to Intel Secure Key for seeding another pseudorandom number generator,^[9] available in Broadwell CPUs. The entropy source for the RDSEED instruction runs asynchronously on a self-timed circuit and uses thermal noise within the silicon to output a random stream of bits at the rate of 3 GHz.^[10]

Reception

Theodore Ts'o publicly stated about the use of RdRand for /dev/random in the Linux kernel:^[11]

I am so glad I resisted pressure from Intel engineers to let /dev/random rely only on the RDRAND instruction. To quote from the article below: 'By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors....' Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea.

Linus Torvalds dismissed concerns about the use of RdRand in the Linux kernel, and pointed out that it is not used as the only source of entropy for /dev/random, but rather used to improve the entropy by combining the values received from RdRand with other sources of randomness.^[12][13] However, Taylor Hornby of Defuse Security demonstrated that the Linux random number generator becomes completely insecure when a backdoor is introduced into the RdRand instruction. This backdoor can be inserted, for example, by means of a microcode update. Taylor's proof-of-concept implementation works on an unmodified Linux kernel.^[14][15][16]

Developers changed the FreeBSD kernel away from using RdRand and VIA PadLock directly with the comment "For [FreeBSD] 10, we are going to backtrack and remove RDRAND and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/random. It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more"^[12][17]

See also

• AES instruction set
• Bullrun (decryption program)
• OpenSSL

Notes

References

External links

• RdRand .NET Library
• RdRand .NET Open Source Project