Date: Sat, 19 Apr 2008 17:56:55 +0100 From: RW <fbsd06@mlists.homeunix.com> To: freebsd-hackers@freebsd.org Subject: Yarrow's Counter Message-ID: <20080419175655.51a37bb2@gumby.homeunix.com.>
next in thread | raw e-mail | index | archive | help
The random number generator in FreeBSD's Yarrow implementation uses
AES256 in counter mode. When a reseed occurs the generator is
reinitialised like this:
- generate a new cypher-key from the pool[s] and the old key
- zero the counter
- encrypt the (zeroed) counter with the new key
My question is: why zero the counter?
If it's not zeroed then the old counter is encrypted instead, and after
a few reseeds the counter will accumulate an independent 256 bits of
entropy, rather than being a function of the new key.
Should I submit a patch, it's simply a matter of deleting two
lines in reseed() in sys/dev/random/yarrow.c.
yarrow_hash_finish(&context, temp);
yarrow_encrypt_init(&random_state.key, temp);
/* 4. Recompute the counter */
for (i = 0; i < 4; i++) <---
random_state.counter[i] = 0; <---
yarrow_encrypt(&random_state.key, random_state.counter, temp);
memcpy(random_state.counter, temp, sizeof(random_state.counter));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080419175655.51a37bb2>