[Cryptography] randomness +- entropy
Theodore Ts'o
tytso at mit.edu
Tue Nov 5 00:01:00 EST 2013
On Mon, Nov 04, 2013 at 08:46:05PM -0800, Watson Ladd wrote:
> I'm sorry: Did the Mind your P's and Q's paper escape everyone on this list?
> There are thousands of devices out there generating keys on first-power on
> with insufficient entropy, with observable deleterious effects.
Sure, we need enough entropy to seed the /dev/urandom device. And
there's been quite a lot of work to improve things since the P's and
Q's paper. The distinction that I was talking about is whether every
single bit that is returned from /dev/random should correspond to bits
of entropy gathered from the system (and where you block until the
system has been able to gather enoguh entropy to satisfy the request),
or whether you depend on the cryptographic algorithms for your
security once the CSRNG has been sufficiently well seeded (which is
what /dev/urandom in Linux is intended to do, as contrasted with the
/dev/random device).
> This problem needs to be solved, and the only way to do it is to
> find or add sources of randomness to the hardware and have the
> kernel use them, as well as a critical failure if they do not
> exist/are not sufficient.
On x86 class machines, both servers and desktop, this is pretty much a
solved problems. The real challenge is with ARM and MIPS systems,
where the CPU's not only don't have a HWRNG, but they don't even have
a CPU counter register, so it's hard to get the timer resolution to
needed to use the timing of events from the hardware for the entropy.
- Ted
More information about the cryptography
mailing list