[Cryptography] A possibility for random device drivers
sandyinchina at gmail.com
Sun Mar 30 12:03:51 EDT 2014
I have been thinking about the design of the Linux random(4) device
and related devices and I have a suggestion that seems worth a look.
There is nothing like a finished design here, just a pointer to a line
that may be worth exploring.
The Linux device generates output by running a hash, SHA-1 in the
current driver, over the pool. Yarrow just uses a single hash context,
in effect running the hash over the input. Fortuna uses several such
contexts. There may be some other variations but I think more-or-less
everyone uses a hash.
My question is whether it might be equally effective and somewhat more
efficient to use the authentication code from AES-GCM or a similar
system instead. These authenticators are designed to replace hashes,
specifically HMAC, for packet-level authentication in various
protocols, and efficiency is one of their main design goals.
AES-GCM is the commonest; there is a NIST standard for it and RFCs for
using it in IPsec, TLS and SSH. There are several other such
authenticators in use as well, and the CAESAR competition for new
authenticated cipher modes has proposals for more.
The GCM code uses a 128-bit quantiity H as a multiplier in its mixing,
and in normal use it gets that from AES encryption of an all-zero
block so, since the AES key is secret, H is effectively random. I do
not know if using a fixed H would make the method insecure or how a
pseudorandom H could best be provided in random(4).
More information about the cryptography