From owner-freebsd-security@FreeBSD.ORG Wed Sep 19 18:30:58 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E87F106566B; Wed, 19 Sep 2012 18:30:58 +0000 (UTC) (envelope-from jra40@hermes.cam.ac.uk) Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by mx1.freebsd.org (Postfix) with ESMTP id 08C518FC15; Wed, 19 Sep 2012 18:30:57 +0000 (UTC) X-Cam-AntiVirus: no malware found X-Cam-SpamDetails: not scanned X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from cpc2-cmbg15-2-0-cust323.5-4.cable.virginmedia.com ([86.26.13.68]:52282 helo=[192.168.0.2]) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:465) with esmtpsa (PLAIN:jra40) (TLSv1:DHE-RSA-AES256-SHA:256) id 1TEP32-0000OV-sR (Exim 4.72) (return-path ); Wed, 19 Sep 2012 19:30:57 +0100 Date: Wed, 19 Sep 2012 19:30:52 +0100 From: Jonathan Anderson To: Pawel Jakub Dawidek Message-ID: In-Reply-To: <20120918211422.GA1400@garage.freebsd.pl> References: <20120918211422.GA1400@garage.freebsd.pl> X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Sender: Jonathan Anderson X-Mailman-Approved-At: Wed, 19 Sep 2012 18:58:15 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Collecting entropy from device_attach() times. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2012 18:30:58 -0000 On Tuesday, 18 September 2012 at 22:14, Pawel Jakub Dawidek wrote: > I experimented a bit with collecting entropy from the time it takes for= > device=5Fattach() to run (in CPU cycles). It seems that those times hav= e > enough variation that we can use it for entropy harvesting. It happens > even before root is mounted, so pretty early. > =20 That sounds really great. =20 > If all the times are more or less equally probable in this range =5B=E2= =80=A6=5D They're very unlikely to be equally probable. It would make sense to do s= ome characterization of these times and their statistics: a highly non-un= iform distribution would mean that we don't actually get many bits per at= tach. =20 > =5B=E2=80=A6=5D we have more > than 19 bits of entropy from this one call, but I reduced if to four > bits only, because there are devices that are much faster to attach. > =20 Another reason for doing the above characterization is that, if a particu= lar device=5Fattach() really does provide 12 bits of uncertainty, it's a = shame to drop eight of them on the floor. > We could make the code more complex by assuming 0.01% of the time > varies, which should still be safe and will allow to collect more > entropy from those long calls. > =20 I'm a bit leery of assuming that things =22should still be safe=22 for th= e above reasons. Again, some hard numbers would really help here. Maybe w= e should even convince a student to do a project. :) Jon -- =20 Jonathan Anderson Research Associate Computer Laboratory University of Cambridge jonathan.anderson=40cl.cam.ac.uk +44 1223 763 747