[Cryptography] RFC possible changes for Linux random device
Bear
bear at sonic.net
Sun Sep 14 14:06:35 EDT 2014
On Sat, 2014-09-13 at 21:03 -0400, Theodore Ts'o wrote:
> Funny thing; when many academics write papers criticize the Linux
> random driver, it's often because they don't think we *still* don't do
> a good enough job by their lights.
>
> And then there is the camp who believes that once you gather 256 bits
> or so of "true randomness", all you need to do is just crank a DRBG,
> and the rest is all just mummery, and I get mocked/criticized/told I'm
> stupid by that crowd too.
>
> Which is OK. Over time, you learn how to have a thick skin when
> people deliver mutually conflicting criticisms. :-)
My 20 millibucks says it's important for cryptography that no
sequence of observed outputs should allow anyone to predict
future outputs. I consider that if they can directly observe
the state of the RNG or its power requirements or instruction
counts, they have hardware access, which makes them at best an
uncommon threat relative to the ubiquitous problem of network
access.
That said, I find myself using the cryptographic RNG for non-
cryptographic purposes sometimes, specifically because the small
state of the PRNGs provided by most systems means I cannot get
a sequence of uncorrelated outputs more than a few dozen bits
long out of them. 256 bits of state limits the uncorrelated
sequence to just four int64's, which is nowhere near enough
even for some of the simulation and statistics type applications.
> I'll also add that improving boot-time entropy is the hard part; and
> it has nothing to do with changing the crypto.
In my very strong opinion, a requirement for boot-time entropy can
result only from bad design. Systems that need boot time entropy
can need it only because they are doing things at boot time which
should not be done at boot time, and failure to correct this OS
design failure is actively harmful to security.
The issue is that if you are building a dependence on secure
communications into the boot sequence, that means that you are
depending on external systems and their state of security. If
you build a need for external systems that deeply into the OS,
you are exposing the booting machine to compromises and failures
of both those external systems and the communications network.
Fully boot a purely local operating system before you attempt
to open any external communications, and open those external
communications in process spaces where the kernel can monitor
and/or sandbox them. In short, make sure your local operating
system is fully instantiated and can protect itself from anything
that can come over external communications.
And for this reason my own personal opinion is that providing
the people who promote this network-before-fully-booted failure
of design with the early-boot entropy they desire contributes
to a problem, in that it allows them to skate along for one or
two or ten more years without correcting that fundamental
failure, or even continuing in blithe denial of the idea that
it needs to be corrected.
On the other hand failing to provide the early-boot entropy they
desire, in any context where they cannot be dissuaded from that
failure of design, will result in yet worse breakage. So this
really is kind of between a rock and a hard place.
> P.S. Oh, and if anyone can get the ARM architecture folks to specify
> a cycle counter which is guaranteed to be there, or at the very least,
> won't crash the SOC if you try to use it and it's not there --- which
> is why Linux doesn't try to use the cycle counter at all on most ARM
> platforms, even though it's often present (it's just that it's not
> guaranteed by the ARM architecture, and if you guess wrong, the
> results are catastrophic) --- that would be awfully nice.
This seems like the sort of thing to test in very early boot.
Wake up, check a variable ARM-COUNTER from the disk, find it equal
to zero, write one to it, flush the disk buffer, attempt to
continue using the the counter. If you don't crash, write a
zero back to ARM-COUNTER and remember (in some other bit) that
the counter is valid. If you do crash, you wake up again in
a forced reboot, but this time you find ARM-COUNTER equal to
one - so you write a zero to it, remember (in your other bit)
that the counter is invalid, and never ever use the counter.
The result is that boxes where the instruction counter is
unimplemented have a slightly longer boot sequence, containing
one early crash-and-reboot. It's ugly as sin, but I used to do
the same thing boot-testing for math coprocessors on 8088 boxes.
Bear
More information about the cryptography
mailing list