From owner-freebsd-security  Mon Sep  4 14:36:38 2000
Delivered-To: freebsd-security@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id DB34737B42C; Mon,  4 Sep 2000 14:36:30 -0700 (PDT)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA66872;
	Mon, 4 Sep 2000 14:36:30 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Mon, 4 Sep 2000 14:36:30 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Adam Laurie <adam@algroup.co.uk>
Cc: James Wyatt <jwyatt@rwsystems.net>,
	Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
	Adam Back <adam@cypherspace.org>, security@FreeBSD.org
Subject: Re: yarrow & /dev/random
In-Reply-To: <39B3992B.7B823DEE@algroup.co.uk>
Message-ID: <Pine.BSF.4.21.0009041435490.23825-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 4 Sep 2000, Adam Laurie wrote:

> Kris Kennaway wrote:
> > 
> > On Sun, 27 Aug 2000, James Wyatt wrote:
> > 
> > > On servers with no regular keyboard or mouse use, there is usually enough
> > > entropy in the disk and network IO to serve the purpose. Small servers
> > > with low net and disk entropy often get used as consoles for busier
> > > servers. Your mileage may vary, of course. What other sources of entropy
> > > might one consider? Maybe an AM radio tuned to static hooked into
> > > /dev/audio to get random samples? - Jy@
> > 
> > My observations suggest that a sound card tuned to maximum input gain with
> > no microphone input (i.e. sampling noise in the card) is a very good
> > source of randomness, with at least 6 bits of entropy per 16 bit sample
> > for most cards, which can be sampled at 44Khz (i.e. about 32 kilobytes of
> > randomness per second, far in excess of what Yarrow needs).
> > 
> > More than enough for even heavy server needs.
> 
> This is only safe to do if you can guarantee that your sound card is
> protected from outside influence - e.g. radio transmissions putting
> known noise into your data. TEMPEST shielding would be a good start.

If interference from men in black is part of your threat model ;-)

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message