[Cryptography] RFC possible changes for Linux random device

[CodesInChaos]

On Tue, Sep 16, 2014 at 5:31 AM, Theodore Ts'o <tytso at mit.edu> wrote:
> When a process tries to open /dev/urandom or tries to use the new
> getrandom(2) system call for the first time, if the AES cipher is
> enabled, grab a key and use it set up crypt_tfm structure which would
> be hanging off the Linux's current (task_struct) struxture, using the
> ctr(aes) cipher.  If this is successful, in order to generate N bytes
> of randomness, encrypt using ctr(aes) a buffer filled with RDRAND (if
> available) or all zero's (if not).

I like having a secure RNG that's fast, even for short messages,
so I like the idea in principle.
Getting rid of all those fragile fork related hacks is very nice as well.

Might have been lost in the summary, but using a fixed key is not a good idea
since it doesn't offer forward secrecy.

The simplest way to avoid that is using the first 32 bytes of output as new key,
pretty similar to what fortuna uses.
The problem with that is overwriting the key is that it requires synchronization
or thread local keys to ensure thread safety.