Re: [PATCH][RFC] Allow net devices to contribute to /dev/random

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: daw@mozart.cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [PATCH][RFC] Allow net devices to contribute to /dev/random
Date: 26 Sep 2001 00:20:32 GMT	[thread overview]
Message-ID: <9or70g$i59$1@abraham.cs.berkeley.edu> (raw)
In-Reply-To: <1001461026.9352.156.camel@phantasy>

I'm worried about the language in the configuration documentation:
  +  Some people, however, feel that network devices should not contribute to
  +  /dev/random because an external attacker could observe incoming packets
  +  in an attempt to learn the entropy pool's state. Note this is completely
  +  theoretical. 
Incrementing the entropy counter based on externally observable
values is dangerous.  Calling this risk 'completely theoretical'
is, I believe, a misrepresentation, unless I've missed something.

A failed RNG is one of the most likely -- and most devastating
-- failure modes possible for modern cryptosystems, and as such
it pays to be careful here.  Are you proposing this for inclusion
in the mainline Linux kernel?  If so, I'm concerned that this patch
could put security at risk.  What am I missing?

Here is my reasoning.  I'd like to quote drivers/char/random.c:
  * add_interrupt_randomness() uses the inter-interrupt timing as random
  * inputs to the entropy pool.  Note that not all interrupts are good
  * sources of randomness!  For example, the timer interrupts is not a
  * good choice, because the periodicity of the interrupts is too
  * regular, and hence predictable to an attacker.  Disk interrupts are
  * a better measure, since the timing of the disk interrupts are more
  * unpredictable.
  * 
  * All of these routines try to estimate how many bits of randomness a
  * particular randomness source.  They do this by keeping track of the
  * first and second order deltas of the event timings.
This suggests that add_interrupt_randomness() should not be called
on all interrupts without discrimination.  Would it be fair to say
that your patch enables randomness collection on almost all interrupts?
If so, why is this safe to do?

I hope you agree that making this configurable does not obviate our
responsibility to make sure that the default configuration is reasonable.
This stuff is subtle, and changing it is not something I'd recommend
without a careful analysis of the impact on security.  Moreover, the
comments about 'completely theoretical' leave me concerned that any
analysis that has been done on this patch may be based on misconceptions
about cryptographic security.  Can you tell us anything about what
security analysis you've done so far?

next prev parent reply	other threads:[~2001-09-26  0:20 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-09-25 23:36 [PATCH][RFC] Allow net devices to contribute to /dev/random Robert Love
2001-09-26  0:20 ` David Wagner [this message]
2001-09-26  0:52   ` Robert Love
2001-09-26  1:36     ` David Wagner
2001-09-26 22:55       ` Gordon Oliver
2001-09-26 23:06         ` Andreas Steinmetz
2001-09-26 15:49     ` dean gaudet
2001-09-26 17:00     ` Oliver Xymoron
2001-10-01 14:43     ` Pavel Machek
2001-10-01 21:33       ` Robert Love
2001-10-01  9:52   ` Florian Weimer
2001-10-01 16:59     ` /dev/random entropy calculations broken? Andreas Dilger
2001-10-01 21:55       ` Alex Bligh - linux-kernel
2001-10-01 22:43         ` antirez
2001-10-02  7:51       ` Andreas Dilger
2001-10-02  8:10         ` Andreas Dilger
2001-10-02 15:37         ` Oliver Xymoron
2001-10-02 21:02           ` Andreas Dilger
2001-10-02 21:29             ` Oliver Xymoron
2001-10-02 22:28               ` Andreas Dilger
2001-10-19 22:59         ` [PATCH] " Andreas Dilger
2001-10-21  5:05           ` Robert Love

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='9or70g$i59$1@abraham.cs.berkeley.edu' \
    --to=daw@mozart.cs.berkeley.edu \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox