From: daw@mozart.cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] (0/4) Entropy accounting fixes
Date: 8 Sep 2002 18:03:09 GMT [thread overview]
Message-ID: <alg3ct$pru$1@abraham.cs.berkeley.edu> (raw)
In-Reply-To: Pine.LNX.4.44.0209072328240.21724-100000@redshift.mimosa.com
D. Hugh Redelmeier wrote:
>The Intel (and, I assume, the AMD) hardware random generator cannot be
>audited.
I disagree. The Intel RNG can be audited, and it has been audited.
The Intel RNG works like this. In hardware, there is a noise source,
which outputs bits that may be somewhat biased. Then, also in hardware,
there is a von Neumann stage that does a little bit of conditioning to
reduce the bias slightly. Finally, in software, the Intel driver applies
SHA-1 to do heavy bit-mixing and pseudorandomization.
Of course, running randomness tests after the SHA-1 stage will tell
you nothing. You could run SHA-1 on a counter and it would pass DIEHARD.
So, don't do that.
Rather, to audit the Intel RNG, the first thing to do is to run
statistical tests on the input to SHA-1. Ideally, you'd like to do
this before the von Neumann stage, but since the von Neumann compensator
is in hardware, that's not possible. Fortunately, you can do the
auditing on the output of the von Neumann stage, and this is almost
as good. Because the von Neumann filter does only very light conditioning,
any flaws in the input to the von Neumann stage are likely to be apparent
after the output stage as well, if you have a large number of samples.
Fortunately, because the SHA-1 is in software, this test is feasible.
The second thing to do is to look at the design of the hardware noise
source to see whether it looks like a reliable source of random bits.
Both of these tests have been performed. Paul Kocher has looked
carefully at the Intel RNG, and given it high scores. See
http://www.cryptography.com/resources/whitepapers/IntelRNG.pdf
Of course, there are no guarantees. But let's look at the alternatives.
If you pick software-based noise sources, there's always the risk that
they may fail to produce useful entropy. (For instance, you sample the
soundcard, but 5% of machines have no soundcard and hence give no
entropy, or 5% of the time you get back stuff highly correlated to
60Hz AC.) The risk that a software-based noise source fails seems much
higher than the risk that the Intel RNG has a backdoor. And the Intel
RNG seems very unlikely to fail at random. If you're going to rely on
any single source, the Intel RNG seems like by far the most reliable
source around.
Of course, in cryptography you should never be relying on only one noise
source anyway. You should mix as many noise sources together as possible.
Then, as long as the hash is secure, you'll be secure as long as any
one of those noise sources is working, even if the others fail adversarially.
(At least, this should be the case for any well-designed entropy crunching
algorithm.) Given this, there is no reason not to use the Intel RNG,
and every reason to use it. It can only help, not hurt.
So it seems to me that using the Intel RNG is a big win, and the risk
of a backdoor is "in the noise".
next prev parent reply other threads:[~2002-09-08 18:15 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-08-18 2:15 [PATCH] (0/4) Entropy accounting fixes Oliver Xymoron
2002-08-18 2:23 ` [PATCH] (1/4) " Oliver Xymoron
2002-08-18 2:26 ` [PATCH] (2/4) Update input drivers Oliver Xymoron
2002-08-18 2:29 ` [PATCH] (3/4) SA_RANDOM user fixup Oliver Xymoron
2002-08-18 2:32 ` [PATCH] (4/4) entropy batching update Oliver Xymoron
2002-08-18 2:30 ` [PATCH] (0/4) Entropy accounting fixes Linus Torvalds
2002-08-18 2:59 ` Oliver Xymoron
2002-08-18 3:08 ` Linus Torvalds
2002-08-18 3:25 ` Linus Torvalds
2002-08-18 4:42 ` Oliver Xymoron
2002-08-18 4:53 ` Linus Torvalds
2002-08-18 5:05 ` Dmitri
2002-08-18 6:18 ` Oliver Xymoron
2002-08-22 3:33 ` David Wagner
2002-08-18 10:30 ` Alan Cox
2002-08-18 15:08 ` Oliver Xymoron
2002-08-18 17:31 ` Jonathan Lundell
2002-08-22 3:27 ` David Wagner
2002-08-18 4:30 ` Oliver Xymoron
2002-08-21 8:44 ` Rogier Wolff
2002-08-21 12:47 ` Oliver Xymoron
2002-08-18 5:28 ` Andreas Dilger
2002-08-18 5:53 ` Oliver Xymoron
2002-08-22 3:25 ` David Wagner
2002-08-18 3:05 ` Linus Torvalds
2002-08-18 3:51 ` Robert Love
2002-08-18 4:01 ` Linus Torvalds
2002-08-18 5:38 ` Oliver Xymoron
2002-08-19 4:21 ` Theodore Ts'o
2002-08-19 10:15 ` Marco Colombo
2002-08-19 10:25 ` Oliver Neukum
2002-08-19 11:03 ` Marco Colombo
2002-08-19 14:22 ` Oliver Neukum
2002-08-19 15:21 ` Marco Colombo
2002-08-19 16:29 ` Oliver Neukum
2002-08-19 12:39 ` Oliver Xymoron
2002-08-18 6:31 ` Robert Love
2002-08-18 6:48 ` Oliver Xymoron
2002-08-18 4:06 ` dean gaudet
2002-08-18 4:44 ` Oliver Xymoron
2002-08-18 7:31 ` Bernd Eckenfels
2002-08-18 9:48 ` Ralf Baechle
2002-08-20 12:51 ` Bernd Eckenfels
2002-08-18 16:58 ` Robert Love
2002-08-18 10:25 ` Alan Cox
2002-08-19 10:47 ` Marco Colombo
2002-08-19 12:29 ` Alan Cox
2002-08-19 12:56 ` Marco Colombo
2002-09-08 3:43 ` D. Hugh Redelmeier
2002-09-08 18:03 ` David Wagner [this message]
2002-09-09 16:53 ` Oliver Xymoron
2002-09-09 16:58 ` David Wagner
2002-09-09 19:47 ` Oliver Xymoron
2002-09-09 23:22 ` David Wagner
2002-09-16 22:51 ` dean gaudet
2002-09-17 1:18 ` Oliver Xymoron
2002-09-09 18:54 ` Kent Borg
2002-09-09 19:57 ` Oliver Xymoron
2002-09-09 20:11 ` Kent Borg
2002-08-18 4:57 ` Oliver Xymoron
2002-08-18 4:28 ` Oliver Xymoron
2002-08-18 4:51 ` Linus Torvalds
2002-08-18 5:24 ` Oliver Xymoron
2002-08-18 16:59 ` Linus Torvalds
2001-11-02 10:34 ` Pavel Machek
2002-08-23 20:16 ` Linus Torvalds
2002-08-18 17:03 ` Robert Love
2002-08-18 17:31 ` Oliver Xymoron
2002-08-18 16:54 ` Robert Love
2002-08-18 17:18 ` Oliver Xymoron
2002-08-18 17:20 ` Robert Love
2002-08-19 5:43 ` Theodore Ts'o
2001-11-02 10:05 ` Pavel Machek
2002-08-19 6:06 ` *Challenge* Finding a solution (When kernel boots it does not display any system info) louie miranda
2002-08-19 7:30 ` Gilad Ben-Yossef
2002-08-19 7:30 ` Ryan Cumming
2002-08-20 0:55 ` louie miranda
2002-08-19 13:52 ` [PATCH] (0/4) Entropy accounting fixes Oliver Xymoron
2002-08-20 8:59 ` Tommi Kyntola
2002-08-20 13:21 ` Oliver Xymoron
2002-08-20 16:19 ` Tommi Kyntola
2002-08-20 17:22 ` Oliver Xymoron
2002-09-08 3:51 ` D. Hugh Redelmeier
2002-09-08 4:31 ` Oliver Xymoron
-- strict thread matches above, loose matches on Subject: below --
2002-08-18 4:57 David Brownell
2002-08-18 6:02 ` Oliver Xymoron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='alg3ct$pru$1@abraham.cs.berkeley.edu' \
--to=daw@mozart.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox