[Cryptography] RFC possible changes for Linux random device

John Denker jsd at av8n.com
Thu Sep 18 09:17:26 EDT 2014 

On 09/16/2014 02:34 PM, John Gilmore asked:

> Also, do we want the kernel to mark pages that it puts entropy into as
> "non-swappable" or "erase upon freeing", to keep the kernel from
> making or retaining copies of the page that could be exploited by
> adversaries?

AFAICT, locking pages in memory to make them non-
swappable is a solved problem lo these many years.
  https://www.gnupg.org/faq/GnuPG-FAQ.html#why-do-i-get-gpg_warning_using_insecure_memory

It has to be done by the app, not by the kernel RNG.
Here's why:  Suppose you get some entropy from the 
RNG and use it to cut a long-term key.  You need to 
protect that key for years and years, until it expires.
You need to protect it wherever it resides, in memory
and elsewhere.  The kernel RNG knows nothing of this.
Similarly if the key goes into a password-protected 
file, the password needs to be protected.  Again, the 
kernel in general and the RNG system in particular 
have no traction on this.

Similarly, the app has to take responsibility for
zeroing sensitive data as soon as it is no longer
needed.

> Even from
> John Denker there seems to be a lot of handwaving about entropy versus
> randomness.

What brought that on?

> When generating a 2275-bit RSA key for long term PGP use,
> shouldn't I ask for 2275 bits of entropy?

That's how I do it.  That's what I recommend.  (*)

> Why or why not?

Here's why: Cutting long-term keys is a low-bandwidth 
high-value adversarial application.  In such cases, you 
can surely afford to use a HRNG. (*)

Also because the number of things that can go wrong 
with a HRNG is a very small subset of the things that 
can go wrong with a PRNG.

In contrast, for high-bandwidth low-value applications, 
a properly-designed properly-seeded PRNG works fine.
Here the HRNG is needed so that the PRNG can be properly 
seeded. (*)

The third possibility is that a PRNG is adequate to the
task but plenty of HRNG entropy is available, so that 
either one will do.

The fourth possibility is that entropy is scarce but
critically needed, in which case exceedingly careful 
engineering is needed.  Seeding the PRNG on a newly
booted system is a conspicuous example.  For the next
level of detail on this, see
  https://www.av8n.com/computer/htm/secure-random.htm

*) Note:  I have gone to a lot of trouble to spell out
what is needed and provide tools to help make it doable.
That's not the sort of activity that is usually referred 
to as "handwaving".

> If we're defining a new system interface, are there more
> crypto/security/randomness issues we can address with it?

Yes.  Some of the key RNG issues are discussed at
  https://www.av8n.com/computer/htm/secure-random.htm

More generally, a good RNG and good system interfaces
are necessary but not sufficient for overall system 
security.

> Give us some real
> examples and real reasons for the choices suggested.

There's 5000 words of discussion at
  https://www.av8n.com/computer/htm/secure-random.htm

If anybody requires more detail and specificity, please 
ask a more detailed specific question.

More information about the cryptography mailing list