[Cryptography] cheap sources of entropy

Theodore Ts'o tytso at mit.edu
Sat Feb 1 18:07:51 EST 2014

On Sun, Feb 02, 2014 at 07:58:58AM +1000, James A. Donald wrote:
> Underneath all that are real material disk drives, which have
> turbulence.  The turbulence causes random and entirely unpredictable
> timing variations, which unpredictability and variation propagate
> all the way to the VM

*Maybe*.  There could be enough quantization errors such that you're
not really measuring this.  Consider what might happen if the VMs are
being scheduled by the host OS with a scheduling quantum measured in
10's of milliseconds (servers generally get configured with a clock
tick of 100HZ), and suppose the variability caused by air turbulence
is measured in hundreds of microseconds.  By the time the host OS has
has done the I/O on behalf of the VM, and then scheduled the VM to
deliver the virtual disk's interrupt, in this case you almost
certainly won't be measuring variations which can be attributable to
the noise on the disk.  Now, there may be enough unpredictability
caused by whatever the *other* VM's on the host OS are doing that a
remote attacker might (or might not) have access to.  But the bottom
line is that you may not be measuring what you think you are
measuring, and so how you reason about how much entropy is in that
particular source might be very much at odds with reality.

Is it better than nothing?  Sure, although I think using virt-rng is
actually a better choice.  Yes, you are now dependent on whoever is
running the host OS server not having received a National Security
Letter from the FBI, but that's always been the case --- and it's much
easier for them to simply grab snapshots of your virtual hard disk,
and to go pawing through the memory of the running VM to get the
encryption key if you are using dm-crypt.

						- Ted

More information about the cryptography mailing list