From owner-freebsd-security@FreeBSD.ORG Tue Sep 11 20:54:44 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 039A11065673; Tue, 11 Sep 2012 20:54:44 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) by mx1.freebsd.org (Postfix) with ESMTP id CF4828FC12; Tue, 11 Sep 2012 20:54:43 +0000 (UTC) Received: from epsilon.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 9370A1EB53; Tue, 11 Sep 2012 13:54:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1347396883; bh=1bOH4H1z2WMQGgYIDom71WTIaZqFtiiNwGGqnW2RVfo=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=C6eOMHFIv6acxVtXC2SIZeB+vrE6xXsJi7J/XUl1SD7qEPAZc4Jrz55YFdMIBrWlT +h2vNjXS1h0W+yGp9Bw7ryr/OBQH+uequRR88q1HpzBrgVNUXDN40ZOSvzrkh0v72Y QNQvx78ntr2qSJCE4jQouO2WozQi0cc5+LhAq/gg= Message-ID: <504FA511.8050904@delphij.net> Date: Tue, 11 Sep 2012 13:54:41 -0700 From: Xin Li Organization: The freeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.7) Gecko/20120830 Thunderbird/10.0.7 MIME-Version: 1.0 To: RW References: <50450F2A.10708@FreeBSD.org> <20120903203505.GN1464@x96.org> <50451D6E.30401@FreeBSD.org> <20120903214638.GO1464@x96.org> <50453686.9090100@FreeBSD.org> <20120904220754.GA3643@server.rulingia.com> <20120906174247.GB13179@dragon.NUXI.org> <20120906230157.5307a21f@gumby.homeunix.com> <20120906224703.GD89120@x96.org> <50493480.8060307@FreeBSD.org> <20120911061530.GA77399@dragon.NUXI.org> <504EDC67.9070700@FreeBSD.org> <86sjao7q8c.fsf@ds4.des.no> <20120911205302.27484fd6@gumby.homeunix.com> In-Reply-To: <20120911205302.27484fd6@gumby.homeunix.com> X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Arthur Mesh , Ian Lepore , Doug Barton , freebsd-rc@freebsd.org, freebsd-security@freebsd.org, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 20:54:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/11/12 12:53, RW wrote: > On Tue, 11 Sep 2012 13:28:51 +0200 Dag-Erling Smørgrav wrote: > >> Doug Barton writes: >>> 1. Pseudo-randomize the order in which we utilize the files in >>> /var/db/entropy >> >> There's no need for randomization if we make sure that *all* the >> data written to /dev/random is used, rather than just the first >> 4096 bytes; or that we reduce the amount of data to 4096 bytes >> before we write it so none of it is discarded. My gut feeling is >> that compression is better than hashing for that purpose, > > It's analogous to a passphrase, have you ever heard of a passphrase > being compressed rather than hashed? Passphrase hashing is a completely different topic, as what we wanted is a one-way function that can not be easily reversed, even when part of the passphrase is known. > The only good reason for compression is if compression+hashing is > faster than hashing, and that sounds unlikely. My reasoning was that a (loseless) compression will not lose entropy, thus increasing per-byte entropy because the output length is smaller. Hashing can be considered as a special, lossy compression that is not useful here: Let's say we feed the RNG with 4096 bytes (or 32768 bits) of entropy, what we wanted is that we have as many as possible states for the RNG. For fully random input, we have 2^32768 possible states, however, if that's English, we get roughly 5 bits per character, and therefore about 2^20480 possible states, that's 2^12288 times less states. We can fix this by doing a compression over longer input and use 4096 bytes from that, because compression will give you more entropy per byte. Typically gzip can give more than 7.7 bits worth of entropy per byte. If hash is used, we need to be careful for inputs. Let's say we would be using 64 bytes of characters to feed SHA512, we will get roughly 2^320 possible outputs and not 2^512, even when the output is 512 bits. It's not clear to me whether we really need to have 32768 bits worth of entropy at all, or if 20480 bits would be "good enough" but the fact of feeding less bytes to the device makes me a little bit concerned. but not very much. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJQT6URAAoJEG80Jeu8UPuz9NYH/1CXgLe2US0mdqsHJtuk/UZK W2MVIbISX3074mvYWmMpnyl6E7u6rfXt+Fq2qsORKEQEhER+ltbgG0uT9pbquQaf f8slM5ffnQFXvhMLmRmI6yiPKh7e9K2c05afo83VTKoN3N4OcNLupogleCEPy+Hy cSw2gHRrlP3gSDCeXDkO2+rmprZ2rjY+Gs6nMDLewrw5/pr0iUgXWHaHJA3j5DV2 pjPQ3CFPcesPYiKaJ8NfheSwTlzBbgzWhC77FGXcKB95cx+iVxUFtghjxgYowh2w /LhnCOilWcd/Ie559zfAtgGzbtolDEBghykQvt6bT+PvK2di+hBF9CoqoooN9VM= =yYq0 -----END PGP SIGNATURE-----