From owner-freebsd-arch@FreeBSD.ORG Tue Aug 21 07:10:36 2012 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id E83AD1065670 for ; Tue, 21 Aug 2012 07:10:36 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from opti.dougb.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id AB4FA14F3CE; Tue, 21 Aug 2012 07:10:36 +0000 (UTC) Message-ID: <5033346C.3080907@FreeBSD.org> Date: Tue, 21 Aug 2012 00:10:36 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:14.0) Gecko/20120728 Thunderbird/14.0 MIME-Version: 1.0 To: Peter Jeremy References: <20120820220243.GA96700@troutmask.apl.washington.edu> <20120820225504.GA78528@server.rulingia.com> In-Reply-To: <20120820225504.GA78528@server.rulingia.com> X-Enigmail-Version: 1.4.3 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , freebsd-arch@freebsd.org Subject: Re: /dev/random X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 07:10:37 -0000 On 08/20/2012 15:55, Peter Jeremy wrote: > On 2012-Aug-20 23:05:39 +0100, Ben Laurie wrote: >>> Well, it's hard to comment when you failed to explain >>> *why* you think it is a mistake. >> >> Sorry - because I do not think it is wise to trust the h/w prng so >> much we discard other entropy. > > This depends on the relative predictability of Yarrow vs the hardware > RNG. Throughout this thread people have been mixing up entropy sources, and hardware and software PRNGs. A PRNG has (at least) 2 components, the entropy source(s), and the software that turns the entropy into a stream of pseudo-random output. You can't directly compare "yarrow" vs. Padlock without comparing both elements. > FreeBSD random(4) currently only supports one hardware RNG - the > one in the VIA Nehemiah. VIA have published an independent evaluation > of their RNG which suggests it is a good source of entropy. I'm not sure what paper you're referring to, but according to the padlock programming guide it's a random number generator, not (directly) an entropy source. That said, it certainly *could* be used as an entropy source for yarrow. The way I see it, if padlock is available, there should be 3 options: 1. Use it as the exclusive feed for /dev/random 2. Allow the user to bypass it for the regular yarrow implementation 3. Allow padlock to be utilized as a source of entropy for yarrow. > Additionally, the RNG is not used in a raw form, instead a Davies- > Meyer hash is performed using the AES-128 CBC with random key, IV and > data to further whiten the output. I am not sure whether anyone has > done any comparison of the relative randomness of these approaches. That's the software component of the RNG. >> That is everything except the hardware, right? So ... all other sources. > > The FreeBSD random(4) device implementation currently allows only one > RNG to be active at a time, though it should be possible to create a > kernel thread that regularly adds entropy from a hardware RNG to the > Yarrow state. Right. The mechanism already exists to use devices as feeders to yarrow's entropy pool. It should be trivial to add another one. hth, Doug -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909)