From owner-freebsd-current@FreeBSD.ORG Thu Aug 5 15:53:58 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85C5E16A4CE; Thu, 5 Aug 2004 15:53:58 +0000 (GMT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57D6343D5A; Thu, 5 Aug 2004 15:53:58 +0000 (GMT) (envelope-from sam@errno.com) Received: from [66.127.85.91] ([66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id i75FrsWi099350 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Thu, 5 Aug 2004 08:53:55 -0700 (PDT) (envelope-from sam@errno.com) From: Sam Leffler Organization: Errno Consulting To: Richard Coleman Date: Thu, 5 Aug 2004 08:53:14 -0700 User-Agent: KMail/1.6.1 References: <200408042139.52577.sam@errno.com> <4112454D.7000507@criticalmagic.com> In-Reply-To: <4112454D.7000507@criticalmagic.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200408050853.14374.sam@errno.com> cc: freebsd-current@freebsd.org cc: Robert Watson Subject: Re: So much entropy it's coming out of our ears? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 15:53:58 -0000 On Thursday 05 August 2004 07:33 am, Richard Coleman wrote: > Sam Leffler wrote: > > gathering through fast paths. I've suggested for a long time that > > this sort of collection should be enabled only under dire > > circumstances and never by default. Regardless the last time I > > looked at the entropy harvesting it used a model where entropy was > > unilateraly sent for harvest and discarded when too plentiful. I > > term this the "push model". I've advocated a "pull model" where the > > PRNG requests entropy when a low water mark is hit and/or a hybrid > > scheme where producers have some sort of flow control or feedback > > mechanism. > > > > Everything that goes on inside the PRNG is a separate issue. > > > > Sam > > In general, by using a push model, you open yourself up to the possibility > that the attacker could exhaust the entropy at just the right time so he > can control what entropy is harvested on the next run of the PRNG. But in > this case, we might be able to get away with it, since the PRNG is still > cryptographically strong even when there is no new entropy flowing into the > system (as long at the attacker doesn't know the initial state of the > pool). Rekeying and reseeding the pool are primarily to give you forward > security and to recover if the entropy pool has been compromised. > > But a push system is still better if it doesn't impact performance too > much. Push vs pull and exhaustion depends on your system config which is why I hedged with "or a hybrid scheme". If a system has a reasonable h/w entropy source it should be able to pull enough entropy on demand to keep everyone happy. I know this to be true for at least 4 crypto parts that include a h/w RNG. On systems like this you want to just shutdown all other forms of entropy gathering unless you're paranoid about having a single source of entropy. Sam