Intel Management Engine and RNG
37 views
Skip to first unread message
Catacombs
Apr 17, 2020, 5:06:19 AM4/17/20
to qubes-users
It is my understanding that “the “Number Generator” is on the MOBO. Could the “Intel Management Engine” be changed to alter the RNG to create weakened Encryption?
Could the IME be altered to load malware to steal Passwords and then to send them somewhere.
Could the IME be altered to load malware to steal Passwords and then to send them somewhere.
dhorf-hfre...@hashmail.org
Apr 17, 2020, 5:26:22 AM4/17/20
to Catacombs, qubes-users
On Fri, Apr 17, 2020 at 02:06:19AM -0700, Catacombs wrote:
> It is my understanding that “the “Number Generator” is on the MOBO.
> Could the “Intel Management Engine” be changed to alter the RNG
> to create weakened Encryption?
yes.
> It is my understanding that “the “Number Generator” is on the MOBO.
> Could the “Intel Management Engine” be changed to alter the RNG
> to create weakened Encryption?
> Could the IME be altered to load malware to steal Passwords and then
> to send them somewhere.
also: nothing new there.
if your cpu is actively working against you, game over.
Catacombs
Apr 17, 2020, 5:53:01 PM4/17/20
to qubes-users
I would have thought someone could suggest a more trustworthy RNG.
One of original means of trustworthy communications was to use two different computers.
One was air gapped and used to write encrypted email. And later to open and decrypt email from the online computer.
Point being if the air gapped machine generated the keys. Much harder for someone to break into emails.
Which brings me to how to find a more trustworthy RNG
dhorf-hfre...@hashmail.org
Apr 17, 2020, 6:28:11 PM4/17/20
to Catacombs, qubes-users
On Fri, Apr 17, 2020 at 02:53:01PM -0700, Catacombs wrote:
> I would have thought someone could suggest a more trustworthy RNG.
there is no real problem with using the intel RNG.
> I would have thought someone could suggest a more trustworthy RNG.
if it is as part of a proper software RNG setup.
(just dont use anything handpatched by debian devs... *coughs*)
> One of original means of trustworthy communications was to use two
> different computers.
> One was air gapped and used to write encrypted email. And later to
> open and decrypt email from the online computer.
how do you make sure the airgapped machine has enough entropy?
bottomless rabbitholes full of snakes.
> Which brings me to how to find a more trustworthy RNG
use 3+ different machines. like one intel, one amd, one raspi.
or mix something really retro / exotic in.
or build your own hardware rng from a bunch of diodes, opamps, and
some leds for display.
or based on a radiation counter.
the more, the merrier.
use each of these machines to generate a transport-grade entropy pad.
print these, or write them down in case of sources that dont have
printer support. i recommend hex.
the quality of each individual transport pad is not critical.
they just need to be unrelated to each other.
exchange the transport grade pads with your communications partners,
using a different path of transmission for each of the pads.
or different couriers. *wiggles fronds*
use pen+paper xor to manually turn the transport-pads into usage-pads
and to en/decrypt transmissions.
using hex notation and xor tables helps a lot with this.
make sure to never ever reuse pad sequences.
this way you dont have to trust the CPU(s) either.
and it encourages succinct communications.
Reply all
Reply to author
Forward
0 new messages