[Cryptography] [RNG] randomness +- entropy

Hannes Frederic Sowa hannes at stressinduktion.org
Thu Nov 7 17:10:39 EST 2013


On Thu, Nov 07, 2013 at 03:36:54AM +0100, Hannes Frederic Sowa wrote:
> On Wed, Nov 06, 2013 at 07:41:08AM -0500, Theodore Ts'o wrote:
> > On Wed, Nov 06, 2013 at 04:39:17AM +0100, Hannes Frederic Sowa wrote:
> > > 
> > > I am looking for other candidates which could be migrated (and are worth
> > > it, given my limited time to work on this).  rc80211_minstrel_ht_init does
> > > not look like a perfect fit, but I will have a fresh look tomorrow.
> > 
> > From my google searches on the minstrel algorithm (and I'm not enough
> > of a networking expert to be authoratative), it appears that it just
> > needs some random retry times for its learning algorithm.  It appears
> > that it might be better if the random retry times chosen unique per
> > host[1], but it didn't appear to have any security significance that I
> > could see.
> 
> I agree, maybe one can prevent a nother wireless node to get a free slot to
> send if the secrets are known. One could call that a DoS but it seems not that
> important.
> 
> > [1] That's the one problem with prandom_init(); before it tries to
> > reseed using get_random_bytes() as a late_initcall(), the initial
> > state used for the prng doesn't appear to be very host-unique.
> 
> Hmm, couldn't we reseed as soon as the nonblocking buffer gets
> initialized?
> 
> A check if entropy_store is the nonblocking_pool and call prandom_reseed()
> just before or after we switch r->initialized to 1 in credit_entropy_bits
> should do the trick. I currently cannot see any problems with that.

This code runs much later as the late_initcall (at least on my box). Maybe
it is still of use, because we would reseed when we know the pool is
fully initialized.

> We could leave the late_initcall as-is as a fallback.

Maybe reseed prandom after rand_initialize could help.

Greetings,

  Hannes



More information about the cryptography mailing list