| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Mar 2017 19:48:24 +0300
From: Krzysztof Kozlowski <krzk@...nel.org>
To: Stephan Müller <smueller@...onox.de>
Cc: PrasannaKumar Muralidharan <prasannatsmkumar@...il.com>,
Kukjin Kim <kgene@...nel.org>,
Javier Martinez Canillas <javier@....samsung.com>,
Matt Mackall <mpm@...enic.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
linux-samsung-soc@...r.kernel.org, linux-crypto@...r.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@...sung.com>,
Arnd Bergmann <arnd@...db.de>, Olof Johansson <olof@...om.net>
Subject: Re: [PATCH v3 1/3] crypto: hw_random - Add new Exynos RNG driver
On Mon, Mar 27, 2017 at 03:53:03PM +0200, Stephan Müller wrote:
> Am Montag, 27. März 2017, 06:23:11 CEST schrieb PrasannaKumar Muralidharan:
>
> Hi PrasannaKumar,
>
> > > Oh my, if you are right with your first guess, this is a bad DRNG design.
> > >
> > > Just out of curiousity: what happens if a caller invokes the seed function
> > > twice or more times (each time with the sufficient amount of bits)? What
> > > is
> > > your guess here?
> >
> > Should the second seed use the random data generated by the device?
>
> A DRNG should be capable of processing an arbitrary amount of seed data. It
> may be the case that the seed data must be processed in chunks though.
>
As I said, I do not know the implementation details about hardware. They
are just not disclossed.
> That said, it may be the case that after injecting one chunk of seed the
> currently discussed RNG simply needs to generate a random number to process
> the input data before another seed can be added. But that is pure speculation.
>
> But I guess that can be easily tested: inject a known seed into the DRNG,
> generate a random number, inject the same seed again and again generate a
> random number. If both are identical (which I do not hope), then the internal
> state is simply overwritten (strange DRNG design).
>
> A similar test can be made to see whether a larger set of seed simply
> overwrites the state or is really processed.
>
> 1. seed
> 2. generate random data
> 3. reset
> 4. seed with anther seed
> 5. generate random data
> 6. reset
> 7. seed with same data from 1
> 8. seed with same data from 2
> 9. generate random data
>
> If data from 9 is identical to 2, then additional seed data is discarded ->
> bad design. If data from 9 is identical to 5, then the additional data
> overwrites the initial data -> bad DRNG design. If data from 9 neither matches
> 2 or 5, then all seed is taken -> good design.
I tested a little bit and:
1. Seeding with some value
2. generating random,
3. kcapi_rng_destroy+kcrng_init, (I cannot do a hardware reset except
reboot of entire system)
4. seeding with the same value as in (1) - different random numbers.
Doing a system reboot and repeating above - different random numbers
(all are different: step (2) and in (4)).
Your test case also produces different random values every time.
Best regards,
Krzysztof
Powered by blists - more mailing lists