On Monday 06 of January 2014 16:42:35 Miloslav Trmač wrote: > I appreciate that you needed to write a tool like this for the thesis; > for general usage I'd strongly urge everyone to use a general-purpose > cryptographic library that doesn't promise to use a particular > technology. We really want the ability to disable a > broken/suspicious/problematic random number source by only patching a > few cryptograhic libraries, without having to individually modify > various applications. > Mirek I understood your worrying, but I think we have different use-cases on our mind. I'm not aiming to replace OpenSSl or something. Anyone can use the RdRand already (if one has the HW) so I'm trying to provide a better interface for those who would probably use the RdRand even without my library - this will make their work easier and more secure, as they do not need to re-implement it on their own with new bugs. The RdRand can be securely used for things like erasing HDD before further encryption and so, by command like: rdrand-gen | dd iflag=fullblock of=/dev/sda bs=4k And I believe that if RdRand is used in combination with AES and some good random key, some possible weakness in RdRand is effectively dismissed: rdrand-gen | aespipe -v -P <(head -n 3705 /dev/random | uuencode -m - | head - n 66 | tail -n 65) | cat -A This will harden the RdRand output with aespipe. Aespipe will use keyfile based on /dev/random and encrypt rdrand-gen output. It will mitigate any back-door possibly built into RdRand. The speed of this solution on my machine is up to 300 MiB/s. :-) Regards Jan -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
