lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Mar 2017 19:48:24 +0300 From: Krzysztof Kozlowski <krzk@...nel.org> To: Stephan Müller <smueller@...onox.de> Cc: PrasannaKumar Muralidharan <prasannatsmkumar@...il.com>, Kukjin Kim <kgene@...nel.org>, Javier Martinez Canillas <javier@....samsung.com>, Matt Mackall <mpm@...enic.com>, Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, linux-samsung-soc@...r.kernel.org, linux-crypto@...r.kernel.org, Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>, Arnd Bergmann <arnd@...db.de>, Olof Johansson <olof@...om.net> Subject: Re: [PATCH v3 1/3] crypto: hw_random - Add new Exynos RNG driver On Mon, Mar 27, 2017 at 03:53:03PM +0200, Stephan Müller wrote: > Am Montag, 27. März 2017, 06:23:11 CEST schrieb PrasannaKumar Muralidharan: > > Hi PrasannaKumar, > > > > Oh my, if you are right with your first guess, this is a bad DRNG design. > > > > > > Just out of curiousity: what happens if a caller invokes the seed function > > > twice or more times (each time with the sufficient amount of bits)? What > > > is > > > your guess here? > > > > Should the second seed use the random data generated by the device? > > A DRNG should be capable of processing an arbitrary amount of seed data. It > may be the case that the seed data must be processed in chunks though. > As I said, I do not know the implementation details about hardware. They are just not disclossed. > That said, it may be the case that after injecting one chunk of seed the > currently discussed RNG simply needs to generate a random number to process > the input data before another seed can be added. But that is pure speculation. > > But I guess that can be easily tested: inject a known seed into the DRNG, > generate a random number, inject the same seed again and again generate a > random number. If both are identical (which I do not hope), then the internal > state is simply overwritten (strange DRNG design). > > A similar test can be made to see whether a larger set of seed simply > overwrites the state or is really processed. > > 1. seed > 2. generate random data > 3. reset > 4. seed with anther seed > 5. generate random data > 6. reset > 7. seed with same data from 1 > 8. seed with same data from 2 > 9. generate random data > > If data from 9 is identical to 2, then additional seed data is discarded -> > bad design. If data from 9 is identical to 5, then the additional data > overwrites the initial data -> bad DRNG design. If data from 9 neither matches > 2 or 5, then all seed is taken -> good design. I tested a little bit and: 1. Seeding with some value 2. generating random, 3. kcapi_rng_destroy+kcrng_init, (I cannot do a hardware reset except reboot of entire system) 4. seeding with the same value as in (1) - different random numbers. Doing a system reboot and repeating above - different random numbers (all are different: step (2) and in (4)). Your test case also produces different random values every time. Best regards, Krzysztof
Powered by blists - more mailing lists