lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 13 Sep 2013 07:36:20 +0200
From:	Stephan Mueller <>
To:	Jörn Engel <>
Cc:	John Stultz <>,
	Theodore Ts'o <>,
	LKML <>,,
	Frederic Weisbecker <>,
	Thomas Gleixner <>
Subject: Re: [PATCH] /dev/random: Insufficient of entropy on many architectures

Am Donnerstag, 12. September 2013, 17:31:48 schrieb Jörn Engel:

Hi Jörn,

>On Tue, 10 September 2013 15:08:12 -0700, John Stultz wrote:
>> Though
>> I probably should be hesitant with my suggestions, as I'm not well
>> versed in RNG theory.
>The basic principle of Ted's RNG is very simple and quite sane:
>- You collect as much data as possible, some of which is (hopefully)
>  unpredictable.
>- All the data gets dumped into a small buffer.
>- When reading from the buffer, you create a crypto-hash of the entire
>  buffer.  Even if most of the buffer is predictable, the few
>  unpredictable bits will randomly flip every output bit.

And here the RNG theory breaks: a whitening function (crypto function) 
like the used SHA1 does not add entropy. Thus, the SHA1 just spreads out 
the entropy evenly over the output buffer. As entropy can be considered 
as a kind of percentage value, if you have, say, 10% of your input 
buffer holding entropy, applying a whitening function, you output buffer 
still holds 10% of entropy only.

That said, simply using a whitening function on a buffer with poor 
entropy is NOT going to cut it.

>- Half of the hash gets returned to the reader, the other half gets
>  added back into the pool.
>It doesn't matter if you collect predictable data - it neither helps

Oh yes, it hurts, if you update the entropy estimator on those 
predictable bits. Because then you get a deterministic RNG like 
/dev/urandom in the worst case. Thus you degrade the quality of 
/dev/random which relies on the blocking nature.

>nor hurts.  But you should collect as much unpredictable data as
>possible and do it as cheaply as possible.  If you want to improve the
>RNG, you either collect more data, collect better (less predictable)
>data or make the collection cheaper.
>People really ought to be forced to read their code aloud over the
>phone. That would rapidly improve the choice of identifiers.
>-- Al Viro

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists