From: Theodore Ts'o <tytso@mit.edu>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Linux Kernel Developers List <linux-kernel@vger.kernel.org>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH] random: limit the contribution of the hw rng to at most half
Date: Thu, 17 Jul 2014 18:08:06 -0400 [thread overview]
Message-ID: <20140717220806.GW1491@thunk.org> (raw)
In-Reply-To: <53C80A6D.5010201@zytor.com>
On Thu, Jul 17, 2014 at 10:39:57AM -0700, H. Peter Anvin wrote:
>
> I saw exactly one complaint to that nature, but that was from someone
> who really wanted the "nordrand" option (at which point I observed that
> it had inadvertently left RDSEED enabled which quickly got rectified.)
> The implication was that this was a request from a specific customer who
> presumably have their own "audited" hardware RNG.
There was another complaint more recently, that wasn't related to
nordrand. And I was rather disturbed that in
add_interrupt_randomness() 97% of the entropy was coming from RDSEED.
I'm willing to have some of the entropy come from RDSEED by default,
but 97% seems to really way too much.
And the emergency refill code in random_read() was extremely
problematic. First of all, we're dropping 512 bytes on the stack,
which is kind of bad, but hopefully all of the code paths which call
random_read() won't have a terribly deep stack. Secondly, even after
the emergency refill, we block anyway. Which is kind of OK, but what
it means is that we are pulling 512 bytes from RDSEED, and giving
credit for 2048 bits of entropy; but since we block until the next
contribution from interrupt randomness, that means we get 1 bit from
the entropy randomness, and 2048 bits of entropy from RDSEED --- which
means that from the standpoint of entropy accounting, 99.95%
(2048/2049) of the entropy is coming from RDSEED when reading from
/dev/random when its entropy pool is empty.
Remember, regardless of whether or not you believe (as a former head
of NSA's technology directorate recently claimed) that the DUAL-EC p
and q were generated using NSA's standard high-quality HW RNG system
which they use to generate all of their crypto variables, or (as the
NIST advisory panel has recently concluded) that it was highly likely
that DUAL-EC was backdoored, it's the optics that matter, because
those of us without top-drawer SI security clearances can't prove
things one way or another.
And when 99.95% of the entropy when reading large quantities of keying
material from /dev/random is coming from RDSEED, that just has
terrible, terrible optics....
- Ted
next prev parent reply other threads:[~2014-07-17 22:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-17 10:03 [PATCH] random: limit the contribution of the hw rng to at most half Theodore Ts'o
2014-07-17 17:39 ` H. Peter Anvin
2014-07-17 22:08 ` Theodore Ts'o [this message]
2014-07-17 23:33 ` H. Peter Anvin
2014-07-18 6:23 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140717220806.GW1491@thunk.org \
--to=tytso@mit.edu \
--cc=hpa@zytor.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).