kbmMW safety first #3 – Hardware based random numbers #2

In the previous blog Hardware based random numbers, I showed how to generate very high quality random numbers using an external HW based random number generator.

However later CPUs from Intel and AMD also contains random value generators.

Intel CPUs from and including Ivy Bridge, and AMD CPUs starting from June 2015 contains a pseudo random number generator instruction RDRAND. Depending on view, it might be better than other pseudo random number generators, but it is still pseudo.

From Intel Broadwell CPUs and AMD Zen, the CPUs also included a TRNG (True Random Number Generator) op code named RDSEED.

Next release of kbmMW expands on its random number generator framework to now also include these 4:

  • TkbmMWCPURand32
  • TkbmMWCPURand64
  • TkbmMWCPUTRNG32
  • TkbmMWCPUTRNG64

TkbmMWCPURandxx use the RDRAND pseudo random number generator instruction, while TkbmMWCPUTRNGxx use the RDSEED CPU instruction.

All 4 are supported on Intel and AMD CPUs in both 32 bit and 64 bit applications.

When instantiating a random generator, it will automatically detect if the CPU actually supports the correct instructions. If not, an exception indicating so will be thrown.

Should you use the builtn CPU based or the external HW TRNG? It depends on the version of the CPU you are using, and if you trust that there are no backdoors in the Intel/AMD provided random number generators vs your trust in the same with an external HW TRNG.

A backdoor means that the so called TRNG may act like a TRNG, but in fact it can be tricked/triggered into behaving non random, which can affect encryption and password security.

Basically I cant answer which to use. I do trust an open source solution more than a closed source one, because its possible to scrutinize the implementation, provided you have the knowledge to do so, but on the other hand, not all 3rdparty TRNGs can be trusted to be of good quality, despite being open source.

Author: kimbomadsen

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.