[Cryptography] RFC possible changes for Linux random device
Theodore Ts'o
tytso at mit.edu
Tue Sep 16 13:17:39 EDT 2014
On Tue, Sep 16, 2014 at 12:08:15PM -0400, Paul Wouters wrote:
> >In all cases, if anything fails (including ENOMEM, the user not
> >compiling AES into the kernel, the AES crypto module failing to load,
> >etc., etc., etc.,) we fall back to the existing methods of using the
> >urandom pool. I think I mentioned this in one portion of the
> >proposal, but this was supposed to be a universal fallback.
>
> Then why do the AES operation on all zero's then, if it will not
> get used anyway?
Basically, because if I use ctr(aes) mode, then the Linux crypto layer
takes care of all of the deblocking issues when the userspace reads
something which isn't an exact multiple of the AES block size. This
is me being lazy --- in the ctr(aes) mode, encrypting zero bytes is a
quick and dirty way of giving me a aes-ctr DRBG without having to do
extra implementation work.
- Ted
More information about the cryptography
mailing list