mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: "H. Peter Anvin" <hpa@linux.intel.com>
To: Stephan Mueller <smueller@chronox.de>
Cc: herbert@gondor.apana.org.au, Ted Tso <tytso@mit.edu>,
	sandyinchina@gmail.com,
	Jason Cooper <cryptography@lakedaemon.net>,
	John Denker <jsd@av8n.com>, Joe Perches <joe@perches.com>,
	Pavel Machek <pavel@ucw.cz>, George Spelvin <linux@horizon.com>,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 0/5] /dev/random - a new approach
Date: Tue, 16 Aug 2016 15:49:25 -0700	[thread overview]
Message-ID: <5a2a350c-65c0-3893-aeb3-66775157fc8b@linux.intel.com> (raw)
In-Reply-To: <2f43d23f-5fbe-9653-fc1c-489db1c7bde4@linux.intel.com>

On 08/16/16 15:28, H. Peter Anvin wrote:
> On 08/15/16 22:45, Stephan Mueller wrote:
>> Am Montag, 15. August 2016, 13:42:54 CEST schrieb H. Peter Anvin:
>>
>> Hi H,
>>
>>> On 08/11/16 05:24, Stephan Mueller wrote:
>>>> * prevent fast noise sources from dominating slow noise sources
>>>>
>>>>   in case of /dev/random
>>>
>>> Can someone please explain if and why this is actually desirable, and if
>>> this assessment has been passed to someone who has actual experience
>>> with cryptography at the professional level?
>>
>> There are two motivations for that:
>>
>> - the current /dev/random is compliant to NTG.1 from AIS 20/31 which requires 
>> (in brief words) that entropy comes from auditible noise sources. Currently in 
>> my LRNG only RDRAND is a fast noise source which is not auditible (and it is 
>> designed to cause a VM exit making it even harder to assess it). To make the 
>> LRNG to comply with NTG.1, RDRAND can provide entropy but must not become the 
>> sole entropy provider which is the case now with that change.
>>
>> - the current /dev/random implementation follows the same concept with the 
>> exception of 3.15 and 3.16 where RDRAND was not rate-limited. In later 
>> versions, this was changed.
>>
> 
> I'm not saying it should be *sole*.  I am questioning the value in
> limiting it, as it seems to me that it could only ever produce a worse
> result.
> 

Also, it would be great to actually get a definition for "auditable".  A
quantum white noise source which exceeds the sampling bandwidth is an
ideal RNG; how do you "audit" that?  If what you are doing is looking
for imperfections, those imperfections can be trivially emulated.  If
what you mean is an audit on the chip or circuit level, that would
require some mechanism to know that all items were built identically
without deviation, which may be possible for intelligence agencies or
the military who have full control of their supply chain, but for anyone
else that is most likely an impossible task.  How many people are going
to crack the case and look at even a discrete transistor circuit, and
how many of *those* are going to be able to discern if that circuit is
subject to RF capture, or its output even used?

I have been trying to figure out how to reasonably solve this problem
for a long time now, and it is not just a problem for RDSEED (RDRAND is
a slightly different beast.)  The only reason RDSEED exposes the problem
particularly harshly is because it is extremely high bandwidth compared
to other noise sources and it is architecturally integrated into the
CPU, but the same would apply to an external noise generator connected
via PCIe, for example.

Incidentally, I am hoping -- and this is a personal statement and
nothing official from Intel -- that at some future date RDRAND (not
RDSEED) will be fast enough that it can completely replace even
prandom_u32(), which I really hope can be non-controversial as
prandom_u32() isn't cryptographically strong in the first place.

	-hpa

  reply	other threads:[~2016-08-16 22:49 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-11 12:24 Stephan Mueller
2016-08-11 12:24 ` [PATCH v6 1/5] crypto: DRBG - externalize DRBG functions for LRNG Stephan Mueller
2016-08-11 12:25 ` [PATCH v6 2/5] random: conditionally compile code depending on LRNG Stephan Mueller
2016-08-11 12:25 ` [PATCH v6 3/5] crypto: Linux Random Number Generator Stephan Mueller
2016-08-11 12:26 ` [PATCH v6 4/5] crypto: LRNG - enable compile Stephan Mueller
2016-08-11 13:50   ` kbuild test robot
2016-08-11 14:03     ` Stephan Mueller
2016-08-11 12:26 ` [PATCH v6 5/5] crypto: LRNG - add ChaCha20 support Stephan Mueller
2016-08-11 21:36 ` [PATCH v6 0/5] /dev/random - a new approach Theodore Ts'o
2016-08-12  9:34   ` Stephan Mueller
2016-08-12 19:22     ` Theodore Ts'o
2016-08-15  6:13       ` Stephan Mueller
2016-08-15 15:00         ` Theodore Ts'o
2016-08-17 21:42   ` Pavel Machek
2016-08-18 17:27     ` Theodore Ts'o
2016-08-18 18:39       ` Pavel Machek
2016-08-19  2:49         ` Theodore Ts'o
2016-08-19  5:56           ` Herbert Xu
2016-08-19 17:20             ` H. Peter Anvin
2016-08-21  3:14               ` Herbert Xu
2016-08-19  7:48           ` Pavel Machek
2016-08-15 20:42 ` H. Peter Anvin
2016-08-16  5:45   ` Stephan Mueller
2016-08-16 22:28     ` H. Peter Anvin
2016-08-16 22:49       ` H. Peter Anvin [this message]
2016-08-17  5:21       ` Stephan Mueller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5a2a350c-65c0-3893-aeb3-66775157fc8b@linux.intel.com \
    --to=hpa@linux.intel.com \
    --cc=cryptography@lakedaemon.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=joe@perches.com \
    --cc=jsd@av8n.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@horizon.com \
    --cc=pavel@ucw.cz \
    --cc=sandyinchina@gmail.com \
    --cc=smueller@chronox.de \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome