Date: Wed, 11 Sep 2013 18:11:25 +0100 From: Mark R V Murray <mark@grondar.org> To: Harald Schmalzbauer <h.schmalzbauer@omnilan.de> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org> Subject: Re: HW fed /dev/random Message-ID: <38CD9A0D-7FEF-4F81-9138-1F80E205A9BA@grondar.org> In-Reply-To: <522F6155.40101@omnilan.de> References: <522F6155.40101@omnilan.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_179E36D4-3F23-4462-B05B-FED9F63C0425 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 10 Sep 2013, at 19:13, Harald Schmalzbauer = <h.schmalzbauer@omnilan.de> wrote: > Hello, >=20 > some time ago, before random(4) was rewritten for FreeBSD 5 by Mark > Murray, we had rng, the i815 hardware random number generator. > At this time, there were rumors about the quality of the randomness. >=20 > Now we have rdrand (BullMountain hardware random generator in = IvyBridge) > and Dual_EC_DRBG (NSA's NIST contribution) makes me wonder if quality = is > again something to worry about - although kib's commit message states: > =84=46rom the Intel whitepapers and articles about Bull Mountain, it = seems > that we do not need to perform post-processing of RDRAND results, like > AES-encryption of the data with random IV and keys, which was done for > Padlock. Intel claims that sanitization is performed in hardware.=93 >=20 > When we use the software random device, one has great control over > /dev/random with sysctk kern.random. > Are there considerations to extend the HW-rng-implementation by = optional > post processing? Yes. This was discussed in Cambridge recently, and will no doubt be = brought up again in Malta. There are indeed plans to post-process the output of rdrand. M --=20 Mark R V Murray --Apple-Mail=_179E36D4-3F23-4462-B05B-FED9F63C0425 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: GPGTools - http://gpgtools.org iQCVAwUBUjCkPd58vKOKE6LNAQpxFAQAl/PIG1sHqRXMFe/woJNEWoGVRzo7AvPb iCt6Reo4Vba+xEd6CGYYER2RwtABeVdPzzB9ZN3nHeMhYFwPe/gQsDyVfYdkCUFd wI2OmsGtV3n7v672Em46u+Dk6QGxTJNpWla0dX7fFiETfLqUdNll1MIT0Bd5ZjfL uzqeLwevdks= =qv1X -----END PGP SIGNATURE----- --Apple-Mail=_179E36D4-3F23-4462-B05B-FED9F63C0425--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38CD9A0D-7FEF-4F81-9138-1F80E205A9BA>