From: "David Jaša" <djasa@redhat.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: Stephan Mueller <smueller@chronox.de>,
Andi Kleen <andi@firstfloor.org>,
sandyinchina@gmail.com,
Jason Cooper <cryptography@lakedaemon.net>,
John Denker <jsd@av8n.com>,
"H. Peter Anvin" <hpa@linux.intel.com>,
Joe Perches <joe@perches.com>, Pavel Machek <pavel@ucw.cz>,
George Spelvin <linux@horizon.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4 0/5] /dev/random - a new approach
Date: Tue, 21 Jun 2016 14:25:36 +0200 [thread overview]
Message-ID: <1466511936.9421.18.camel@redhat.com> (raw)
In-Reply-To: <20160618144408.GA5344@thunk.org>
Hi,
On So, 2016-06-18 at 10:44 -0400, Theodore Ts'o wrote:
> On Fri, Jun 17, 2016 at 03:56:13PM +0200, David Jaša wrote:
> > I was thinking along the lines that "almost every important package
> > supports FreeBSD as well where they have to handle the condition so
> > option to switch to Rather Break Than Generate Weak Keys would be nice"
> > - but I didn't expect that systemd could be a roadblock here. :-/
>
> It wasn't just systemd; it also broke OpenWRT and Ubuntu Quantal
> systems from booting.
>
> > I was also thinking of little devices where OpenWRT or proprietary
> > Linux-based systems run that ended up with predictable keys way too
> > ofter (or as in OpenWRT's case, with cumbersome tutorials how to
> > generate keys elsewhere).
>
> OpenWRT and other embedded devices (a) generally use a single master
> oscillator to drive everything, and (b) often use RISC architectures
> such as MIPS.
>
> Which means that arguments of the form ``the Intel L1 / L2 cache
> architecture is ****soooo**** complicated that no human could possibly
> figure out how they would affect timing calculations, and besides, my
> generator passes FIPS 140-2 tests (never mind AES(NSA_KEY, CNTR++)
this
> also passes the FIPS 140-2 statistical tests)'' --- which I normally
> have trouble believing --- are even harder for me to believe.
>
> At the end of the day, with these devices you really badly need a
> hardware RNG.
and this.
It seems much easier to me to embed AES(NSA_KEY, CNTR++) logic directly
to HW RNG compared to tweaking of every microarchitecture to make
jitter/maxwell/havege return known numbers that are going to be mixed
with other entropy anyway (won't they?). So if I put the bits together
correctly, HW RNG helps getting more random numbers but itself is
insufficient to ensure that random numbers are truly random...
Cheers,
David Jaša
> We can't generate randomness out of thin air. The only
> thing you really can do requires user space help, which is to generate
> keys lazily, or as late as possible, so you can gather as much entropy
> as you can --- and to feed in measurements from the WiFi (RSSI
> measurements, MAC addresses seen, etc.) This won't help much if you
> have an FBI van parked outside your house trying to carry out a
> TEMPEST attack, but hopefully it provides some protection against a
> remote attacker who isn't try to carry out an on-premises attack.
>
> Cheers,
>
> - Ted
prev parent reply other threads:[~2016-06-21 12:25 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-31 18:37 [PATCH v4 0/5] /dev/random - a new approach Stephan Mueller
2016-05-31 18:37 ` [PATCH v4 1/5] crypto: DRBG - externalize DRBG functions for LRNG Stephan Mueller
2016-05-31 18:38 ` [PATCH v4 2/5] random: conditionally compile code depending on LRNG Stephan Mueller
2016-05-31 18:39 ` [PATCH v4 3/5] crypto: Linux Random Number Generator Stephan Mueller
2016-05-31 18:39 ` [PATCH v4 4/5] crypto: LRNG - enable compile Stephan Mueller
2016-05-31 18:39 ` [PATCH v4 5/5] random: add interrupt callback to VMBus IRQ handler Stephan Mueller
2016-05-31 22:34 ` [PATCH v4 0/5] /dev/random - a new approach George Spelvin
2016-06-15 16:17 ` David Jaša
2016-06-15 16:58 ` Stephan Mueller
2016-06-17 13:56 ` David Jaša
2016-06-17 15:26 ` Sandy Harris
2016-06-18 8:22 ` Stephan Mueller
2016-06-18 8:21 ` Stephan Mueller
2016-06-18 14:44 ` Theodore Ts'o
2016-06-18 16:31 ` Stephan Mueller
2016-06-20 17:07 ` Austin S. Hemmelgarn
2016-06-20 18:32 ` Stephan Mueller
2016-06-21 13:05 ` Austin S. Hemmelgarn
2016-06-21 13:19 ` Tomas Mraz
2016-06-21 17:18 ` Austin S. Hemmelgarn
2016-06-21 17:23 ` Stephan Mueller
2016-06-21 17:54 ` Austin S. Hemmelgarn
2016-06-21 18:05 ` Stephan Mueller
2016-06-21 13:20 ` Stephan Mueller
2016-06-21 17:51 ` Austin S. Hemmelgarn
2016-06-21 18:04 ` Stephan Mueller
2016-06-21 19:31 ` Austin S. Hemmelgarn
2016-06-22 5:16 ` Stephan Mueller
2016-06-22 12:54 ` Austin S. Hemmelgarn
2016-06-22 13:25 ` Stephan Mueller
2016-06-21 13:42 ` Pavel Machek
2016-06-21 17:17 ` Austin S. Hemmelgarn
2016-06-21 12:25 ` David Jaša [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1466511936.9421.18.camel@redhat.com \
--to=djasa@redhat.com \
--cc=andi@firstfloor.org \
--cc=cryptography@lakedaemon.net \
--cc=hpa@linux.intel.com \
--cc=joe@perches.com \
--cc=jsd@av8n.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
--cc=pavel@ucw.cz \
--cc=sandyinchina@gmail.com \
--cc=smueller@chronox.de \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.