[Cryptography] RFC possible changes for Linux random device
John Denker
jsd at av8n.com
Thu Sep 18 09:17:26 EDT 2014
On 09/16/2014 02:34 PM, John Gilmore asked:
> Also, do we want the kernel to mark pages that it puts entropy into as
> "non-swappable" or "erase upon freeing", to keep the kernel from
> making or retaining copies of the page that could be exploited by
> adversaries?
AFAICT, locking pages in memory to make them non-
swappable is a solved problem lo these many years.
https://www.gnupg.org/faq/GnuPG-FAQ.html#why-do-i-get-gpg_warning_using_insecure_memory
It has to be done by the app, not by the kernel RNG.
Here's why: Suppose you get some entropy from the
RNG and use it to cut a long-term key. You need to
protect that key for years and years, until it expires.
You need to protect it wherever it resides, in memory
and elsewhere. The kernel RNG knows nothing of this.
Similarly if the key goes into a password-protected
file, the password needs to be protected. Again, the
kernel in general and the RNG system in particular
have no traction on this.
Similarly, the app has to take responsibility for
zeroing sensitive data as soon as it is no longer
needed.
> Even from
> John Denker there seems to be a lot of handwaving about entropy versus
> randomness.
What brought that on?
> When generating a 2275-bit RSA key for long term PGP use,
> shouldn't I ask for 2275 bits of entropy?
That's how I do it. That's what I recommend. (*)
> Why or why not?
Here's why: Cutting long-term keys is a low-bandwidth
high-value adversarial application. In such cases, you
can surely afford to use a HRNG. (*)
Also because the number of things that can go wrong
with a HRNG is a very small subset of the things that
can go wrong with a PRNG.
In contrast, for high-bandwidth low-value applications,
a properly-designed properly-seeded PRNG works fine.
Here the HRNG is needed so that the PRNG can be properly
seeded. (*)
The third possibility is that a PRNG is adequate to the
task but plenty of HRNG entropy is available, so that
either one will do.
The fourth possibility is that entropy is scarce but
critically needed, in which case exceedingly careful
engineering is needed. Seeding the PRNG on a newly
booted system is a conspicuous example. For the next
level of detail on this, see
https://www.av8n.com/computer/htm/secure-random.htm
*) Note: I have gone to a lot of trouble to spell out
what is needed and provide tools to help make it doable.
That's not the sort of activity that is usually referred
to as "handwaving".
> If we're defining a new system interface, are there more
> crypto/security/randomness issues we can address with it?
Yes. Some of the key RNG issues are discussed at
https://www.av8n.com/computer/htm/secure-random.htm
More generally, a good RNG and good system interfaces
are necessary but not sufficient for overall system
security.
> Give us some real
> examples and real reasons for the choices suggested.
There's 5000 words of discussion at
https://www.av8n.com/computer/htm/secure-random.htm
If anybody requires more detail and specificity, please
ask a more detailed specific question.
More information about the cryptography
mailing list