From: Theodore Ts'o <tytso@mit.edu>
To: Stephan Mueller <smueller@chronox.de>
Cc: linux-crypto@vger.kernel.org, lkml <linux-kernel@vger.kernel.org>
Subject: Re: [RFC][PATCH] Entropy generator with 100 kB/s throughput
Date: Sat, 9 Feb 2013 13:06:29 -0500 [thread overview]
Message-ID: <20130209180629.GD8091@thunk.org> (raw)
In-Reply-To: <51157686.9000404@chronox.de>
On Fri, Feb 08, 2013 at 11:04:54PM +0100, Stephan Mueller wrote:
> * an array of statistical test suites pass the output of the entropy
> collector
> (again, the output is not mangled with cryptography)
You're not mangling the output with cryptography, but you are doing
some mangling in jitterentropy_cpu_jitter().
So let's be clear about what the heart of your entropy source is:
You're getting the nanoseconds out of clock_gettime(CLOCK_REALTIME),
and then mixing it using XOR and a ROL(3) into a 64-bit buffer, and
interspersing the calls to clock_gettime() with schedule().
So what a code breaker at the NSA would probably try to do first is to
measure is whether there is any kind of bias or non-entropy in the
nanoseconds returned by CLOCK_REALTIME after calls to schedule(). If
they can find any kind of bias, they can use that to calculate what
kind of patterns or non-random bits might end up showing up after you
do your non-cryptographic mangling.
For that reasons, what I would suggest doing first is generate a
series of outputs of jitterentropy_get_nstime() followed by
schedule(). Look and see if there is any pattern. That's the problem
with the FIPS 140-2 tests. Passing those tests are necessary, but
*NOT* sufficient to prove that you have a good cryptographic
generator. Even the tiniest amount of post-processing, even if they
aren't cryptographic, can result in an utterly predictable series of
numbers to pass the FIPS 140-2 tests.
Regards,
- Ted
next prev parent reply other threads:[~2013-02-09 18:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-08 22:04 [RFC][PATCH] Entropy generator with 100 kB/s throughput Stephan Mueller
2013-02-09 18:06 ` Theodore Ts'o [this message]
2013-02-10 1:57 ` Jeff Epler
2013-02-10 12:46 ` Stephan Mueller
2013-02-10 15:53 ` Jeff Epler
2013-02-10 18:50 ` Theodore Ts'o
2013-02-10 19:27 ` Sandy Harris
2013-02-10 19:32 ` Stephan Mueller
2013-02-10 21:59 ` Sandy Harris
2013-02-11 0:05 ` Theodore Ts'o
2013-02-10 12:25 ` Stephan Mueller
2013-02-21 14:07 ` Phil Carmody
2013-02-21 14:17 ` Stephan Mueller
2013-02-21 17:46 ` Sandy Harris
2013-02-21 20:30 ` Theodore Ts'o
[not found] ` <CAFtRNNzcUpxT3R6ttUJ0c-7QTVRxbwRVq6bPqvkSL93vbstT4g@mail.gmail.com>
2013-02-22 11:14 ` Nick Kossifidis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130209180629.GD8091@thunk.org \
--to=tytso@mit.edu \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.