Date: Tue, 21 Aug 2012 00:10:36 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Peter Jeremy <peter@rulingia.com> Cc: Ben Laurie <ben@links.org>, freebsd-arch@freebsd.org Subject: Re: /dev/random Message-ID: <5033346C.3080907@FreeBSD.org> In-Reply-To: <20120820225504.GA78528@server.rulingia.com> References: <CAG5KPzz4GQ2C_ky_qrDroQ4srGL4daW0OO-F3eOvvL-9AO6zoQ@mail.gmail.com> <20120820220243.GA96700@troutmask.apl.washington.edu> <CAG5KPzwBzWvDFDZqzT4masbknKfVe-rvdTd1h6ZxEoG90Rcxqg@mail.gmail.com> <20120820225504.GA78528@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/20/2012 15:55, Peter Jeremy wrote:
> On 2012-Aug-20 23:05:39 +0100, Ben Laurie <ben@links.org> wrote:
>>> Well, it's hard to comment when you failed to explain
>>> *why* you think it is a mistake.
>>
>> Sorry - because I do not think it is wise to trust the h/w prng so
>> much we discard other entropy.
>
> This depends on the relative predictability of Yarrow vs the hardware
> RNG.
Throughout this thread people have been mixing up entropy sources, and
hardware and software PRNGs. A PRNG has (at least) 2 components, the
entropy source(s), and the software that turns the entropy into a stream
of pseudo-random output.
You can't directly compare "yarrow" vs. Padlock without comparing both
elements.
> FreeBSD random(4) currently only supports one hardware RNG - the
> one in the VIA Nehemiah. VIA have published an independent evaluation
> of their RNG which suggests it is a good source of entropy.
I'm not sure what paper you're referring to, but according to the
padlock programming guide it's a random number generator, not (directly)
an entropy source. That said, it certainly *could* be used as an entropy
source for yarrow.
The way I see it, if padlock is available, there should be 3 options:
1. Use it as the exclusive feed for /dev/random
2. Allow the user to bypass it for the regular yarrow implementation
3. Allow padlock to be utilized as a source of entropy for yarrow.
> Additionally, the RNG is not used in a raw form, instead a Davies-
> Meyer hash is performed using the AES-128 CBC with random key, IV and
> data to further whiten the output. I am not sure whether anyone has
> done any comparison of the relative randomness of these approaches.
That's the software component of the RNG.
>> That is everything except the hardware, right? So ... all other sources.
>
> The FreeBSD random(4) device implementation currently allows only one
> RNG to be active at a time, though it should be possible to create a
> kernel thread that regularly adds entropy from a hardware RNG to the
> Yarrow state.
Right. The mechanism already exists to use devices as feeders to
yarrow's entropy pool. It should be trivial to add another one.
hth,
Doug
--
I am only one, but I am one. I cannot do everything, but I can do
something. And I will not let what I cannot do interfere with what
I can do.
-- Edward Everett Hale, (1822 - 1909)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5033346C.3080907>