From: Stephan Mueller <smueller@chronox.de>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Andreas Steffen <andreas.steffen@strongswan.org>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>
Subject: Re: DRBG seeding
Date: Fri, 17 Apr 2015 15:22:56 +0200 [thread overview]
Message-ID: <2278042.JS7c5BLrbA@myon.chronox.de> (raw)
In-Reply-To: <20150417131137.GA27060@gondor.apana.org.au>
Am Freitag, 17. April 2015, 21:11:37 schrieb Herbert Xu:
Hi Herbert,
> On Fri, Apr 17, 2015 at 02:48:51PM +0200, Stephan Mueller wrote:
> > Do you really think that this is possible? If the DRBG becomes the stdrng,
> > you would imply that those callers (e.g. IPSEC) may suffer from a long
> > block (and with long I mean not just seconds, but minutes).
>
> It's only 49 bytes for every 64K so I think it's reasonable.
Just an FYI on a test I did once: on a headless PPC (POWER6), we drained
/dev/random (simply do a cat /dev/random). Then it took more than 20 hours(!)
to get 48 bytes to seed OpenSSL from /dev/random. This test was done on some
2.6.32 kernel.
That issue should be better now considering that interrupts are used as noise
source by /dev/random.
Furthermore, it gets worse again considering that there is work underway to
disable SSDs to feed /dev/random. Thus, on a server that is headless but has
SSDs we only have interrupts feeding into /dev/random.
Thus, getting a full seed of 384 bits is minutes on a headless system will
definitely be a challenge in a worst case.
> The only reason someone would use this is to comply with the
> standard and this is what the standard requires so I don't see
> how we can do anything else.
I do not see a definite quality requirement of the seed source in SP800-90A.
In user space, FIPS validations happily used /dev/urandom where NIST has no
concern.
Currently, there is a draft interpretation that tightens the issue around
/dev/urandom significantly. Therefore, looking into the issue is definitely
important. But still, blocking the DRBG right from the start until we have
data from /dev/random does not seem helpful either.
>
> > Furthermore, I fail to see the difference between the current default
> > stdrng (krng -- which is just get_random_bytes in disguise). Thus, the
> > current situation with the DRBG seeding is not different from the
> > non-DRBG use case.
> The difference is that krng doesn't have to satisfy any standard.
>
> Cheers,
--
Ciao
Stephan
next prev parent reply other threads:[~2015-04-17 13:24 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-16 14:36 DRBG seeding Herbert Xu
2015-04-16 15:07 ` Stephan Mueller
2015-04-16 15:26 ` Herbert Xu
2015-04-16 15:32 ` Stephan Mueller
2015-04-16 17:11 ` Andreas Steffen
2015-04-17 1:19 ` Stephan Mueller
2015-04-17 2:14 ` Herbert Xu
2015-04-17 12:48 ` Stephan Mueller
2015-04-17 13:11 ` Herbert Xu
2015-04-17 13:22 ` Stephan Mueller [this message]
2015-04-18 1:27 ` Herbert Xu
2015-04-18 1:32 ` Stephan Mueller
2015-04-18 1:36 ` Herbert Xu
2015-04-18 2:04 ` Stephan Mueller
2015-04-18 2:16 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2278042.JS7c5BLrbA@myon.chronox.de \
--to=smueller@chronox.de \
--cc=andreas.steffen@strongswan.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).