From: Stephan Mueller <smueller@chronox.de>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Andreas Steffen <andreas.steffen@strongswan.org>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>
Subject: Re: DRBG seeding
Date: Fri, 17 Apr 2015 15:22:56 +0200 [thread overview]
Message-ID: <2278042.JS7c5BLrbA@myon.chronox.de> (raw)
In-Reply-To: <20150417131137.GA27060@gondor.apana.org.au>
Am Freitag, 17. April 2015, 21:11:37 schrieb Herbert Xu:
Hi Herbert,
> On Fri, Apr 17, 2015 at 02:48:51PM +0200, Stephan Mueller wrote:
> > Do you really think that this is possible? If the DRBG becomes the stdrng,
> > you would imply that those callers (e.g. IPSEC) may suffer from a long
> > block (and with long I mean not just seconds, but minutes).
>
> It's only 49 bytes for every 64K so I think it's reasonable.
Just an FYI on a test I did once: on a headless PPC (POWER6), we drained
/dev/random (simply do a cat /dev/random). Then it took more than 20 hours(!)
to get 48 bytes to seed OpenSSL from /dev/random. This test was done on some
2.6.32 kernel.
That issue should be better now considering that interrupts are used as noise
source by /dev/random.
Furthermore, it gets worse again considering that there is work underway to
disable SSDs to feed /dev/random. Thus, on a server that is headless but has
SSDs we only have interrupts feeding into /dev/random.
Thus, getting a full seed of 384 bits is minutes on a headless system will
definitely be a challenge in a worst case.
> The only reason someone would use this is to comply with the
> standard and this is what the standard requires so I don't see
> how we can do anything else.
I do not see a definite quality requirement of the seed source in SP800-90A.
In user space, FIPS validations happily used /dev/urandom where NIST has no
concern.
Currently, there is a draft interpretation that tightens the issue around
/dev/urandom significantly. Therefore, looking into the issue is definitely
important. But still, blocking the DRBG right from the start until we have
data from /dev/random does not seem helpful either.
>
> > Furthermore, I fail to see the difference between the current default
> > stdrng (krng -- which is just get_random_bytes in disguise). Thus, the
> > current situation with the DRBG seeding is not different from the
> > non-DRBG use case.
> The difference is that krng doesn't have to satisfy any standard.
>
> Cheers,
--
Ciao
Stephan
next prev parent reply other threads:[~2015-04-17 13:24 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-16 14:36 DRBG seeding Herbert Xu
2015-04-16 15:07 ` Stephan Mueller
2015-04-16 15:26 ` Herbert Xu
2015-04-16 15:32 ` Stephan Mueller
2015-04-16 17:11 ` Andreas Steffen
2015-04-17 1:19 ` Stephan Mueller
2015-04-17 2:14 ` Herbert Xu
2015-04-17 12:48 ` Stephan Mueller
2015-04-17 13:11 ` Herbert Xu
2015-04-17 13:22 ` Stephan Mueller [this message]
2015-04-18 1:27 ` Herbert Xu
2015-04-18 1:32 ` Stephan Mueller
2015-04-18 1:36 ` Herbert Xu
2015-04-18 2:04 ` Stephan Mueller
2015-04-18 2:16 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2278042.JS7c5BLrbA@myon.chronox.de \
--to=smueller@chronox.de \
--cc=andreas.steffen@strongswan.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.