From owner-cvs-src@FreeBSD.ORG Sat Apr 10 13:58:34 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17B3A16A4CF; Sat, 10 Apr 2004 13:58:34 -0700 (PDT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA94143D41; Sat, 10 Apr 2004 13:58:33 -0700 (PDT) (envelope-from sam@errno.com) Received: from [66.127.85.89] ([66.127.85.89]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id i3AKwWiJ063683 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Sat, 10 Apr 2004 13:58:32 -0700 (PDT) (envelope-from sam@errno.com) In-Reply-To: <200404100854.i3A8sa0w066414@grimreaper.grondar.org> References: <200404100854.i3A8sa0w066414@grimreaper.grondar.org> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Sam Leffler Date: Sat, 10 Apr 2004 13:58:36 -0700 To: Mark Murray X-Mailer: Apple Mail (2.613) cc: Bruce M Simpson cc: src-committers@FreeBSD.org cc: Nate Lawson cc: cvs-all@FreeBSD.org cc: cvs-src@FreeBSD.org Subject: Re: cvs commit: src/sys/modules/random Makefile src/sys/dev/random harvest.c hash.c hash.h nehemiah.c nehemiah.h probe.c randomdev.c randomdev.h randomdev_soft.c randomdev_soft.h yar X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Apr 2004 20:58:34 -0000 On Apr 10, 2004, at 1:54 AM, Mark Murray wrote: > Bruce M Simpson writes: >>>> http://www.cryptography.com/resources/whitepapers/index.html >>> >>> Actually, I have. I read it again, now, to be sure. Nothing it says >>> suggests that what I did here is a "huge mistake". Nearest I get is >>> the suggestion that the output from the on-chip RNG is used as a >>> source for a hash function (like Yarrow). I feel that is overkill, >>> and that the output of the on-chip RNG is sufficient. >> >> I'm inclined to trust your judgement here on this, Mark, but Nate does >> have a valid point; we need to be sure that the entropy sources are of >> sufficiently high quality or we risk compromising the system. >> >> If you could cite some independent tests for the VIA C3 on-chip RNG >> that would be very helpful to all. > > How about Nate's paper? It gives the VIA C3 a very high assessment WRT > the quality of the entropy delivered. > > If it is felt that further whitening of the VIA C3 RNG is needed, > then I believe that Yarrow would be overkill, and that a much smaller > hash function will be sufficient. Unless I misread the paper it seemed very clear in stating that you need to post-process the h/w RNG. I run all my h/w entropy sources through the rndtest module (FIPS-140 testing) and frequently see that h/w entropy sources are not to be trusted (note that rndtest samples the entropy and that the FIPS test suite is far less stringent than the testing done in the papers). I have not had time to review Marks changes but I agree with Nate that h/w entropy sources should not be trusted and some form of post-processing must be done. Whether this is Yarrow or something else is unclear but the papers cited did a thorough analysis while all I've seen from Mark are statements that he believes these sources are good. When it comes to stuff like this I believe strongly in taking a conservative approach. Sam