From: Jan Glauber <jan.glauber@de.ibm.com>
To: Valdis.Kletnieks@vt.edu
Cc: linux-crypto <linux-crypto@vger.kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [RFC][PATCH] Pseudo-random number generator
Date: Tue, 05 Dec 2006 14:07:27 +0100 [thread overview]
Message-ID: <1165324047.6337.39.camel@bender> (raw)
In-Reply-To: <200612041615.kB4GF7lx031249@turing-police.cc.vt.edu>
On Mon, 2006-12-04 at 11:15 -0500, Valdis.Kletnieks@vt.edu wrote:
> On Fri, 01 Dec 2006 14:19:15 +0100, Jan Glauber said:
> > New s390 machines have hardware support for the generation of pseudo-random
> > numbers. This patch implements a simple char driver that exports this numbers
> > to user-space. Other possible implementations would have been:
>
> > + for (i = 0; i < 16; i++) {
> > + entropy[0] = get_clock();
> > + entropy[1] = get_clock();
> > + entropy[2] = get_clock();
> > + entropy[3] = get_clock();
>
> By the time this loop completes, we'll have done 64 get_clock() - and if an
> attacker has a good estimate of what the system clock has in it, they'll be
> able to guess all 64 values, since each pass through the loop will have fairly
> predictable timing. So as a result, the pseudo-random stream will be a *lot*
> less random than one would hope for...
I completely agree. Filling the input buffer with timestamps looks quite
uncomfortable but was exactly what the hardware specification suggested.
At least for the initialisation of the PRNG I preferred get_random_bytes()
over get_clock to get a good initial seed. But get_random_bytes cannot
be used during normal operation since the PRNG read should not block.
> > + /*
> > + * It shouldn't weaken the quality of the random numbers
> > + * passing the full 16 bytes from STCKE to the generator.
> > + */
>
> As long as you realize that probably 12 or 13 or even more of those 16 bytes
> are likely predictable (depending exactly how fast the hardware clock ticks),
> and as a result the output stream will also be predictable.
Yes, if an attacker knows the initial clock value a brute-force attack
would be feasible to predict the output. But I don't know if the
hardware completely relies on the clock values or if there is any
internal state which is not visible by an attacker. I will try to find
out more details...
Jan
next prev parent reply other threads:[~2006-12-05 13:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-12-01 13:19 [RFC][PATCH] Pseudo-random number generator Jan Glauber
2006-12-01 13:39 ` Alan
2006-12-01 15:20 ` Jan Glauber
2006-12-01 15:37 ` Alan
2006-12-04 16:15 ` Valdis.Kletnieks
2006-12-05 13:07 ` Jan Glauber [this message]
2007-01-16 14:07 ` Jan Glauber
2006-12-07 15:06 ` Arnd Bergmann
2006-12-07 15:19 ` Jan Glauber
2006-12-07 18:43 ` Arnd Bergmann
2006-12-08 11:42 ` Jan Glauber
[not found] <7ngD0-8fX-11@gated-at.bofh.it>
[not found] ` <7ngMA-8D-39@gated-at.bofh.it>
[not found] ` <7niv3-4sQ-21@gated-at.bofh.it>
[not found] ` <7niEE-4Mk-5@gated-at.bofh.it>
2006-12-01 17:33 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1165324047.6337.39.camel@bender \
--to=jan.glauber@de.ibm.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox