From: Clemens Ladisch <clemens@ladisch.de>
To: Stephan Mueller <smueller@chronox.de>
Cc: Nicholas Mc Guire <der.herr@hofr.at>,
Theodore Ts'o <tytso@mit.edu>, Pavel Machek <pavel@ucw.cz>,
sandy harris <sandyinchina@gmail.com>,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random
Date: Sat, 09 Nov 2013 23:04:07 +0100 [thread overview]
Message-ID: <527EB157.70109@ladisch.de> (raw)
In-Reply-To: <4606253.6dPOReUPaz@tauon>
Stephan Mueller wrote:
> Am Donnerstag, 7. November 2013, 02:03:57 schrieb Nicholas Mc Guire:
>> On Wed, 06 Nov 2013, Stephan Mueller wrote:
>>> Besides, how on earth shall an attacker even gain knowledge about the
>>> state of the CPU or disable CPU mechanisms? Oh, I forgot, your NSA
>>> guy. But if he is able to do that, all discussions are moot because
>>> he simply disables any noise sources by flipping a bit, reads the
>>> memory that is used to hold the state of the RNG or just overwrites
>>> the memory locations where data is collected, because the general
>>> protection mechanisms offered by the kernel and the underlying
>>> hardware are broken.
>>
>> No need to gain knowledge of the internal CPU state itt would be
>> sufficient to be able to put the CPU in a sub-state-space in which
>> the distribution is shifted. it may be enough to reduce the truely
>> random bits of some key only by a few bits to make it suceptible to
>> brute force attacks.
>
> Note, the proposed RNG contains an unbias operation (the Von-Neumann
> unbiaser) which is proven to remove any bias when it is established that
> the individual observations are independent. And the way the
> observations are generated ensures that they are independent.
"Independent" does not mean that your own code avoids reusing data from
the previous loop iteration; it means that the _entire_ process that
generates the bits is not affected by any memory of the past.
The observations are derived from the internal CPU state, which is *not*
reset between measurements.
Regards,
Clemens
next prev parent reply other threads:[~2013-11-09 22:04 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 18:38 [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random Stephan Mueller
2013-10-12 1:45 ` Sandy Harris
2013-10-12 3:28 ` Theodore Ts'o
2013-10-12 19:04 ` Stephan Mueller
2013-10-12 20:12 ` Stephan Mueller
[not found] ` <CACXcFm=_jmeKe2YYbHDi-jTGX-23hDsDeu_weWQkr2F_FpE_6g@mail.gmail.com>
2013-10-14 13:38 ` Fwd: " Sandy Harris
2013-10-14 14:12 ` Stephan Mueller
2013-10-14 14:26 ` Stephan Mueller
2013-10-14 14:14 ` Sandy Harris
2013-10-14 14:40 ` Stephan Mueller
2013-10-14 15:18 ` Sandy Harris
2013-10-14 15:26 ` Stephan Mueller
2013-10-14 15:46 ` Sandy Harris
2013-10-14 21:33 ` Sandy Harris
2013-10-15 6:23 ` Stephan Mueller
2013-10-28 15:40 ` Stephan Mueller
2013-10-28 16:06 ` Henrique de Moraes Holschuh
2013-10-28 16:15 ` Stephan Mueller
2013-10-28 21:45 ` Theodore Ts'o
2013-10-29 8:42 ` Stephan Mueller
2013-10-29 13:24 ` Theodore Ts'o
2013-10-29 14:00 ` Stephan Mueller
2013-10-29 22:25 ` Stephan Mueller
2013-11-02 11:01 ` Pavel Machek
2013-11-02 11:12 ` Pavel Machek
2013-11-03 7:20 ` Stephan Mueller
2013-11-03 12:41 ` Theodore Ts'o
2013-11-05 12:20 ` Stephan Mueller
2013-11-06 11:49 ` Stephan Mueller
2013-11-06 12:43 ` Theodore Ts'o
2013-11-06 12:51 ` Stephan Mueller
2013-11-06 13:04 ` Theodore Ts'o
2013-11-06 13:24 ` Pavel Machek
2013-11-07 0:36 ` Nicholas Mc Guire
2013-11-07 5:21 ` Stephan Mueller
2013-11-09 22:04 ` Clemens Ladisch
2013-11-10 1:10 ` Stephan Mueller
2013-11-10 16:31 ` Clemens Ladisch
2013-11-10 17:21 ` Stephan Mueller
2013-11-10 20:28 ` Clemens Ladisch
2013-11-13 3:12 ` Stephan Mueller
2013-11-13 11:51 ` Clemens Ladisch
2013-11-13 15:15 ` Stephan Mueller
2013-11-13 17:14 ` Pavel Machek
2013-11-14 10:51 ` Clemens Ladisch
2013-11-14 18:01 ` Stephan Mueller
2013-11-14 18:30 ` Clemens Ladisch
2013-11-14 18:34 ` Stephan Mueller
2013-11-11 2:58 ` H. Peter Anvin
2013-11-07 1:03 ` Nicholas Mc Guire
2013-11-07 5:26 ` Stephan Mueller
2013-11-09 22:04 ` Clemens Ladisch [this message]
2013-11-10 1:16 ` Stephan Mueller
2013-11-03 23:32 ` Pavel Machek
2013-11-05 12:25 ` Stephan Mueller
2013-11-05 13:45 ` Stephan Mueller
2013-11-06 11:42 ` Stephan Mueller
2013-11-06 13:26 ` Pavel Machek
2013-11-07 3:12 ` Stephan Mueller
2013-11-13 3:37 ` [PATCH] CPU Jitter RNG: Executing time variation tests on bare metal Stephan Mueller
2013-10-30 12:59 ` [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random Sandy Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=527EB157.70109@ladisch.de \
--to=clemens@ladisch.de \
--cc=der.herr@hofr.at \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=sandyinchina@gmail.com \
--cc=smueller@chronox.de \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.