| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Mar 2017 09:43:18 -0400 From: Jeffrey Walton <noloader@...il.com> To: Stephan Müller <smueller@...onox.de> Cc: LKML <linux-kernel@...r.kernel.org>, linux-crypto@...r.kernel.org Subject: Re: [ANNOUNCE] /dev/random - a new approach (code for 4.11-rc1) >> > The design and implementation is driven by a set of goals described in [2] >> > that the LRNG completely implements. Furthermore, [2] includes a >> > comparison with RNG design suggestions such as SP800-90B, SP800-90C, and >> > AIS20/31. >> >> A quick comment about SP800 and the hardware instructions... RDSEED is >> 2 to 5 times slower than RDRAND on Intel hardware, depending on the >> architecture and microarchitecture. > > I am not sure how this statement relates to the quote above. RDSEED is the > CBC-MACed output of the flip-flop providing the raw noise. > > RDRAND is the output of the SP800-90A CTR DRBG that is seeded by the CBC-MAC > that also feeds RDSEED. Thus, RDSEED is as fast as the noise source where > RDRAND is a pure deterministic RNG that tries to be (re)seeded as often as > possible. > > Both instructions are totally unrelated to the SP800-90A DRBG available to the > Linux kernel. SP800-90A requires an entropy source to bootstrap the Hash, HMAC and CTR generators. That is, the Instantiate and Reseed functions need an approved source of entropy. Both RDRAND and RDSEED are approved for Intel chips. See SP800-90A, Section 8.6.5 (http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf). Jeff
Powered by blists - more mailing lists