From: Clemens Ladisch <clemens@ladisch.de>
To: Stephan Mueller <smueller@chronox.de>
Cc: "Theodore Ts'o" <tytso@mit.edu>, Pavel Machek <pavel@ucw.cz>,
sandy harris <sandyinchina@gmail.com>,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
Nicholas Mc Guire <der.herr@hofr.at>
Subject: Re: [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random
Date: Thu, 14 Nov 2013 11:51:03 +0100 [thread overview]
Message-ID: <5284AB17.5050802@ladisch.de> (raw)
In-Reply-To: <27146362.bQgmetPpTV@tauon>
Stephan Mueller wrote:
> Am Mittwoch, 13. November 2013, 12:51:44 schrieb Clemens Ladisch:
>> (And any setting that increases accesses to main memory is likey to
>> introduce more entropy due to clock drift between the processor and the
>> memory bus. Or where do you assume the entropy comes from?)
>
> You nailed it. When I disable the caches using the CR0 setting, I get a
> massive increase in variations and thus entropy.
Now this would be an opportunity to use the number of main memory
accesses to estimate entropy. (And when you're running out of the
cache, i.e., deterministically, is there any entropy?)
>>> XOR is a bijective operation.
>>
>> Only XOR with a constant, which is not what you're doing.
>
> If you want to regain the full 64 bit input bit stream, then you are
> right.
>
> But still, XOR is bijective with respect to the two bits that go into
> the operation.
Please look up what "bijective" actually means:
<http://en.wikipedia.org/wiki/Bijection>
> folding based on XOR is an appropriate way to collapse the string and
> yet retain entropy.
Correct, but the reason for that is not being bijective.
>> If the observations are not independent, you cannot just assume that
>> the estimate is off by a certain factor. It means that the estimate
>> is not applicable _at all_.
>
> Well, I am not so sure here.
So, what is the factor that you are saying is large enough?
>>> The RNG has the following safety margins where it is more conservative than
>>> measurements indicate:
>>
>> You _cannot_ measure entropy by looking at the output. How would you
>> differentiate between /dev/random and /dev/urandom?
>
> I think regarding the independence you can very well draw the conclusion
> based on the output, because any dependencies will ultimately form a
> pattern.
The output of a pure PRNG (such as /dev/urandom without entropy) is
dependent on the internal state, but there are no patterns detectable
from the output alone.
> In addition, we need to keep in mind that the independence claim is
> relative
No, independence is a property of the process that generates the
samples.
> If you have an output string that has no detectable patterns, i.e. looks
> like white noise, you can only assume that the observations are
> independent of each other. If there are patterns, you know that there
> are dependencies.
>
> That statement may *not* apply any more if you look at the internals of
> the RNG. In such a case, you may have even strong dependencies.
>
> The best example on this matter are deterministic RNGs with a
> cryptographic output function. When you see the output string, you only
> see white noise. As you cannot detect a pattern, you have to assume that
> the string provides independent observations. At least for you who looks
> from the outside cannot draw any conclusions from observing some output
> bit stream which would be the future bit stream. Yet, when you know the
> state of the RNG, you entire future output bit stream has no
> independence.
You cannot restrict the analysis to observations from the outside;
there are many people who can know about the CPU's internal structure.
> Coming back to the jitter RNG: I applied a large array of statistical
> tests and all of them concluded that the output is white noise, as
> explained in the documentation. That means when looking from the
> outside, there are no dependencies visible. Now you may say that this
> conclusion does not mean that there are no dependencies -- but I reply
> again, if there would be any, none of the array of statistical tests can
> detect it. So, how would an attacker detect patterns?
An attacker would not try to detect patterns; he would apply knowledge
of the internals.
Statistical tests are useful only for detecting the absence of entropy,
not for the opposite.
All your arguments about the output of the CPU jitter RNG also apply to
the output of /dev/urandom. So are you saying that it would be a good
idea to loop the output of /dev/urandom back into /dev/random?
Regards,
Clemens
next prev parent reply other threads:[~2013-11-14 10:51 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 18:38 [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random Stephan Mueller
2013-10-12 1:45 ` Sandy Harris
2013-10-12 3:28 ` Theodore Ts'o
2013-10-12 19:04 ` Stephan Mueller
2013-10-12 20:12 ` Stephan Mueller
[not found] ` <CACXcFm=_jmeKe2YYbHDi-jTGX-23hDsDeu_weWQkr2F_FpE_6g@mail.gmail.com>
2013-10-14 13:38 ` Fwd: " Sandy Harris
2013-10-14 14:12 ` Stephan Mueller
2013-10-14 14:26 ` Stephan Mueller
2013-10-14 14:14 ` Sandy Harris
2013-10-14 14:40 ` Stephan Mueller
2013-10-14 15:18 ` Sandy Harris
2013-10-14 15:26 ` Stephan Mueller
2013-10-14 15:46 ` Sandy Harris
2013-10-14 21:33 ` Sandy Harris
2013-10-15 6:23 ` Stephan Mueller
2013-10-28 15:40 ` Stephan Mueller
2013-10-28 16:06 ` Henrique de Moraes Holschuh
2013-10-28 16:15 ` Stephan Mueller
2013-10-28 21:45 ` Theodore Ts'o
2013-10-29 8:42 ` Stephan Mueller
2013-10-29 13:24 ` Theodore Ts'o
2013-10-29 14:00 ` Stephan Mueller
2013-10-29 22:25 ` Stephan Mueller
2013-11-02 11:01 ` Pavel Machek
2013-11-02 11:12 ` Pavel Machek
2013-11-03 7:20 ` Stephan Mueller
2013-11-03 12:41 ` Theodore Ts'o
2013-11-05 12:20 ` Stephan Mueller
2013-11-06 11:49 ` Stephan Mueller
2013-11-06 12:43 ` Theodore Ts'o
2013-11-06 12:51 ` Stephan Mueller
2013-11-06 13:04 ` Theodore Ts'o
2013-11-06 13:24 ` Pavel Machek
2013-11-07 0:36 ` Nicholas Mc Guire
2013-11-07 5:21 ` Stephan Mueller
2013-11-09 22:04 ` Clemens Ladisch
2013-11-10 1:10 ` Stephan Mueller
2013-11-10 16:31 ` Clemens Ladisch
2013-11-10 17:21 ` Stephan Mueller
2013-11-10 20:28 ` Clemens Ladisch
2013-11-13 3:12 ` Stephan Mueller
2013-11-13 11:51 ` Clemens Ladisch
2013-11-13 15:15 ` Stephan Mueller
2013-11-13 17:14 ` Pavel Machek
2013-11-14 10:51 ` Clemens Ladisch [this message]
2013-11-14 18:01 ` Stephan Mueller
2013-11-14 18:30 ` Clemens Ladisch
2013-11-14 18:34 ` Stephan Mueller
2013-11-11 2:58 ` H. Peter Anvin
2013-11-07 1:03 ` Nicholas Mc Guire
2013-11-07 5:26 ` Stephan Mueller
2013-11-09 22:04 ` Clemens Ladisch
2013-11-10 1:16 ` Stephan Mueller
2013-11-03 23:32 ` Pavel Machek
2013-11-05 12:25 ` Stephan Mueller
2013-11-05 13:45 ` Stephan Mueller
2013-11-06 11:42 ` Stephan Mueller
2013-11-06 13:26 ` Pavel Machek
2013-11-07 3:12 ` Stephan Mueller
2013-11-13 3:37 ` [PATCH] CPU Jitter RNG: Executing time variation tests on bare metal Stephan Mueller
2013-10-30 12:59 ` [PATCH] CPU Jitter RNG: inclusion into kernel crypto API and /dev/random Sandy Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5284AB17.5050802@ladisch.de \
--to=clemens@ladisch.de \
--cc=der.herr@hofr.at \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=sandyinchina@gmail.com \
--cc=smueller@chronox.de \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox