lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 4 Feb 2014 12:08:23 -0500
From:	Theodore Ts'o <tytso@....edu>
To:	Stephan Mueller <smueller@...onox.de>
Cc:	Jörn Engel <joern@...fs.org>,
	"H. Peter Anvin" <hpa@...or.com>,
	Linux Kernel Developers List <linux-kernel@...r.kernel.org>,
	macro@...ux-mips.org, ralf@...ux-mips.org, dave.taht@...il.com,
	blogic@...nwrt.org, andrewmcgr@...il.com, geert@...ux-m68k.org,
	tg@...bsd.de, sandyinchina@...il.com
Subject: Re: [RFC PATCH 0/5] CPU Jitter RNG

I really wish we could get someone inside Intel who has deep knowledge
about CPU internals to render an opinion about this.  My reaction to
"I can't explain where the entropy is coming from" seems very similar
to what my home grown attempts to create an encryption algoritm when I
was much younger and much more foolish --- "it must be secure because
I can't break it".

I will note that there are parts of 

> [2] http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.html

which don't really add much to the discussion, but instead just simply
make an expert question how deep the analysis has gone.  Measuring the
statistical tests of the entropy pool is a complete waste of time ---
and in general, using things like "dieharder" don't do anything to
increase one's confidence (and could decrease one's confidence if it
makes it appear too much like a snake oil sales document).  Sure,
passing dieharder is necessary, but it isn't even vaguely close to
sufficient.

Modulo questions of how much CPU overhead it has, I wouldn't have an
objection to adding additional sources into the entropy pool, such as
what Joern has suggested.  It's when there is a proposal to give such
output entropy credit that I start to get queasy.  (But then again,
since most applications uses /dev/urandom, the question of entropy
credit isn't that important for many use cases.)

       	     	  	    	     	 - Ted

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ