Date: Tue, 21 Aug 2012 00:10:36 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Peter Jeremy <peter@rulingia.com> Cc: Ben Laurie <ben@links.org>, freebsd-arch@freebsd.org Subject: Re: /dev/random Message-ID: <5033346C.3080907@FreeBSD.org> In-Reply-To: <20120820225504.GA78528@server.rulingia.com> References: <CAG5KPzz4GQ2C_ky_qrDroQ4srGL4daW0OO-F3eOvvL-9AO6zoQ@mail.gmail.com> <20120820220243.GA96700@troutmask.apl.washington.edu> <CAG5KPzwBzWvDFDZqzT4masbknKfVe-rvdTd1h6ZxEoG90Rcxqg@mail.gmail.com> <20120820225504.GA78528@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/20/2012 15:55, Peter Jeremy wrote: > On 2012-Aug-20 23:05:39 +0100, Ben Laurie <ben@links.org> wrote: >>> Well, it's hard to comment when you failed to explain >>> *why* you think it is a mistake. >> >> Sorry - because I do not think it is wise to trust the h/w prng so >> much we discard other entropy. > > This depends on the relative predictability of Yarrow vs the hardware > RNG. Throughout this thread people have been mixing up entropy sources, and hardware and software PRNGs. A PRNG has (at least) 2 components, the entropy source(s), and the software that turns the entropy into a stream of pseudo-random output. You can't directly compare "yarrow" vs. Padlock without comparing both elements. > FreeBSD random(4) currently only supports one hardware RNG - the > one in the VIA Nehemiah. VIA have published an independent evaluation > of their RNG which suggests it is a good source of entropy. I'm not sure what paper you're referring to, but according to the padlock programming guide it's a random number generator, not (directly) an entropy source. That said, it certainly *could* be used as an entropy source for yarrow. The way I see it, if padlock is available, there should be 3 options: 1. Use it as the exclusive feed for /dev/random 2. Allow the user to bypass it for the regular yarrow implementation 3. Allow padlock to be utilized as a source of entropy for yarrow. > Additionally, the RNG is not used in a raw form, instead a Davies- > Meyer hash is performed using the AES-128 CBC with random key, IV and > data to further whiten the output. I am not sure whether anyone has > done any comparison of the relative randomness of these approaches. That's the software component of the RNG. >> That is everything except the hardware, right? So ... all other sources. > > The FreeBSD random(4) device implementation currently allows only one > RNG to be active at a time, though it should be possible to create a > kernel thread that regularly adds entropy from a hardware RNG to the > Yarrow state. Right. The mechanism already exists to use devices as feeders to yarrow's entropy pool. It should be trivial to add another one. hth, Doug -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5033346C.3080907>