RSA Security 4.3 The Intel Random Number Generator, Whitening Hardware Results, Random Numbers

Random Numbers

The Intel Random Number Generator

The Intel Random Number Generator is dedicated hardware that harnesses system thermal noise to generate random values. The generator is free-running, accumulating random bits of data until a 32-bit buffer is filled.

Whitening Hardware Results

The bits the Intel RNG supplies to the application have been whitened by the hardware; that is, a post-processing algorithm has been applied to reduce patterns in the hardware bits and make them less predictable. The advantage of performing whitening in software as well as hardware is that an attacker must modify the hardware and the software to make the HRNG leak secret information.

If you are seeding a pseudo-random number generator, you can use the random number without whitening for optimal performance. If you plan to use the random numbers directly, you may wish to apply additional whitening. Since the Intel RNG performs its own whitening, performing additional whitening may reduce the performance of your application.

Using the Intel RNG

The Intel RNG enables your application to get the seed bits that are needed to produce cryptographic keys and challenges that in turn can protect vast quantities of data. In a few milliseconds, the Intel RNG can produce all the random bits needed to seed an application. This is significantly faster than the software mechanisms for gathering unpredictable bits. Software mechanisms can take as long as ten seconds to gather a seed and often require user input (for example, via the mouse or keyboard).

Unavailability of Hardware

If the Intel RNG is unavailable, then the appropriate action depends on the security needs of the application. If the Intel RNG is not working at start-up, and thus there are no seed bits available from hardware randomness, then an application with exceptionally high security needs may want to inform the user and exit. Most applications can simply notify the user and request a user-supplied seed.