lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4479175.Jfq03yCxQW@tauon.atsec.com>
Date:   Sun, 26 Mar 2017 23:25:24 +0200
From:   Stephan Müller <smueller@...onox.de>
To:     Krzysztof Kozlowski <krzk@...nel.org>
Cc:     Kukjin Kim <kgene@...nel.org>,
        Javier Martinez Canillas <javier@....samsung.com>,
        Matt Mackall <mpm@...enic.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
        linux-samsung-soc@...r.kernel.org, linux-crypto@...r.kernel.org,
        Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
        Arnd Bergmann <arnd@...db.de>, Olof Johansson <olof@...om.net>
Subject: Re: [PATCH v3 1/3] crypto: hw_random - Add new Exynos RNG driver

Am Sonntag, 26. März 2017, 20:00:12 CEST schrieb Krzysztof Kozlowski:

Hi Krzysztof,

> > Would it make sense to add another outer loop here to allow all of slen to
> > be injected into the DRNG? Note, in some cases, a user wants to add more
> > seed into the DRNG than the actual seed size. In this case, the DRNG acts
> > as a compression operation of entropy. This is used when the
> > entropy-to-data ratio is not 1:1. In a lot of cases, users have a seed
> > which has less entropy in bits per data bit.
> 
> Hi,
> 
> I do not know whether this would have any benefit on hardware. The
> datasheet is not describing too much here. It is actually saying only:
> 1. Write SEED to each register (five in total).
> 2. Confirm that STATUS register says seeding done.
> 3. Start RNG engine.
> 4. Wait for engine finish (another bit in STATUS - clear it then).
> 5. Read the randoms.
> 
> I would guess that the hardware will ignore all previously written seeds
> and use the last one. Maybe the hardware will use all of the seeds
> written as you imply. It is just a guessing.

Oh my, if you are right with your first guess, this is a bad DRNG design.

Just out of curiousity: what happens if a caller invokes the seed function 
twice or more times (each time with the sufficient amount of bits)? What is 
your guess here?

Ciao
Stephan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ