[Cryptography] The Crypto Pi
Ben Laurie
ben at links.org
Sun Jan 25 09:27:09 EST 2015
On 18 January 2015 at 14:50, Ralf Senderek <crypto at senderek.ie> wrote:
> OnWed Jan 14 04:41:15 EST 2015 John Gilmore wrote:
>
>> [quoting Bakul Shah]
>>
>> > On linux/pi the h/w RNG is available under /dev/hwrng.
>> > /dev/random is their standard "cryptographic pseudo RNG". It
>> > seems to be extremely slow (80 bits/second) or broken or has
>> > the wrong default settings.
>> >
>> > FreeBSD/pi /dev/random is much much faster @ 33Mibis/sec. AFAIK
>> > it doesn't use the h/w RNG.
I'm pretty sure modern FreeBSDs do use it. Can't speak to the pi
particularly, though.
>>
>> The problem on Linux is probably that they failed to run rngd, the
>> hardware randomness daemon. (In Debian/Ubuntu it's in the "rng-tools"
>> package.)
>>
>> The problem on FreeBSD is that /dev/random doesn't wait for entropy,
>> it just makes pseudorandomness as fast as it can.
We did some experiments a while back which suggest that you can get
sufficient entropy during startup by measuring device attach times.
Probably worth repeating the experiment on the pi - and enabling this
(I am not sure whether FreeBSD does by default, I got tired of arguing
about it).
> The Crypto Pi needs a random key with at least 128 bits of entropy
> for every message (AES). The desirable hardware platform would be
> the beagle bone and the OS OpenBSD to make auditing possible.
>
> But there is a problem with the randomness source on the beagle bone.
> I've monitored the state of the kernel's entropy pool via /proc and
> found that if you read 10 Bytes from /dev/random the entropy level
> drops by 52 bits. A short time later reading another 10 Bytes the beagle
> blocks for 54 seconds. Reading 20 bytes for the first time removes
> 116 bit of entropy from the pool and the second read blocks for nearly
> 70 seconds. The beagle bone needs 143 seconds to recover and to add
> a 100 bits of entropy back to the pool. There's no rngd running.
I'm not sure what "removing bits from the pool" really means -
extracting n bits from a pool does not, IMO, remove n bits, or even
any large fraction of n, from the pool.
More information about the cryptography
mailing list