All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephan Mueller <smueller@chronox.de>
To: George Spelvin <linux@horizon.com>
Cc: herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org,
	nhorman@tuxdriver.com
Subject: Re: [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c
Date: Mon, 15 Dec 2014 09:50:17 +0100	[thread overview]
Message-ID: <6843393.LtnAY8kkPy@tauon> (raw)
In-Reply-To: <20141215084244.10306.qmail@ns.horizon.com>

Am Montag, 15. Dezember 2014, 03:42:44 schrieb George Spelvin:

Hi George,

>> - the non-determinism you get from get_random_int is very weak. If
>> you start thinking about the information theoretical entropy behind
>> that function that is used once in a while, you may not get much
>> entropy. Please, please, please, I do not want to start a discussion
>> around entropy -- I will not participate in such discussion :-)
>
>I could have such a discussion, but there's no need to; for the most
>part, I agree with you.  I wasn't trying to design a *good* RNG, I was
>trying to comply slavishly with what X9.17, X9.31, and the NIST
>specification call for: a timetamp.
>
>To quote
>http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf,
>section 3:
>
># Let DT be a date/time vector which is updated on each iteration.
>
>That's what I was trying to produce, nothing more and nothing less.

If you look into other X9.31 implementations, you see that the DT vector 
is a time stamp (even sometimes initialized to just 0 or 1) and then 
incremented each time. Thus, you get "some form" of a counter mode for 
the AES core.

But of course, you could update DT with time stamps, provided you can 
prove that they are monotonically increasing. 
>
>You will agree, I hope, that the result from get_random_int *does*
>include the entropy of a high-resolution timestamp?  Which is

get_random_int does provide entropy, but my gut feeling (I have not done 
measurements) is that it is in the range of maybe 2 / 3 bits per 
invocation.

>cryptographically equivalent to including the unobfuscated timestamp?

Sure.
>
>> Thus, I am questioning whether such slightly non-deterministic RNG
>> would be used.
>
>As far as I know the only reason to *ever* use ansi_cprng is for
>regulatory/certification reasons.  It's not horrible, but it's
>definitely been superseded, by the NIST SP800-90A generators at least.

Yes, therefore we have the DRBG implementation.
>
>Which is why I'm trying to follow the spec as precisely as possible.

If you only look at the regulatory side, then you must be aware of 
SP800-131A applicable at least to the US side. X9.31 is sunsetted by the 
end of 2015 and even not FIPS 140-2 certifiable any more for new 
validations.

Ciao
Stephan

  reply	other threads:[~2014-12-15  8:50 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-07 12:26 [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c George Spelvin
2014-12-07 12:26 ` [PATCH v2 01/25] crypto: ansi_cprng - unroll _get_more_prng_bytes George Spelvin
2014-12-07 12:26 ` [PATCH v2 02/25] crypto: ansi_cprng - Additional _get_more_prng_bytes cleanup George Spelvin
2014-12-07 12:26 ` [PATCH v2 03/25] crypto: ansi_cprng - Use %phN rather than print_hex_dump for debug George Spelvin
2014-12-07 12:26 ` [PATCH v2 04/25] crypto: ansi_cprng - Make debug output more like NIST test vectors George Spelvin
2014-12-07 12:26 ` [PATCH v2 05/25] crypto: ansi_cprng - Eliminate ctx->I and ctx->last_rand_data George Spelvin
2014-12-14 11:50   ` Stephan Mueller
2014-12-14 19:22     ` George Spelvin
2014-12-07 12:26 ` [PATCH v2 06/25] crypto: ansi_cprng - Make cont_test a bool George Spelvin
2014-12-07 12:26 ` [PATCH v2 07/25] crypto: ansi_cprng - Shrink context some more George Spelvin
2014-12-07 12:26 ` [PATCH v2 08/25] crypto: ansi_cprng - Don't call reset_prng_context from cprng_init George Spelvin
2014-12-07 12:26 ` [PATCH v2 09/25] crypto: ansi_cprng - Make length types consistent George Spelvin
2014-12-07 12:26 ` [PATCH v2 10/25] crypto: ansi_cprng - Use u8 data types consistently internally George Spelvin
2014-12-07 12:26 ` [PATCH v2 11/25] crypto: ansi_cprng - Eliminate unused PRNG_FIXED_SIZE flag George Spelvin
2014-12-07 12:26 ` [PATCH v2 12/25] crypto: ansi_cprng - Get rid of rdata buffer in fips_cprng_reset George Spelvin
2014-12-07 12:26 ` [PATCH v2 13/25] crypto: Add appropriate consts to RNG API George Spelvin
2014-12-14 11:39   ` Stephan Mueller
2014-12-07 12:26 ` [PATCH v2 14/25] crypto: tcrypt - Add const qualifiers all over the test code George Spelvin
2014-12-07 12:26 ` [PATCH v2 15/25] crypto: testmgr - Merge seed arrays in struct cprng_testvec George Spelvin
2014-12-07 12:26 ` [PATCH v2 16/25] crypto: testmgr - Report failure on zero-length crypto_rng_get_bytes George Spelvin
2014-12-07 12:26 ` [PATCH v2 17/25] crypto: testmgr - Don't crash if CPRNG test result is large George Spelvin
2014-12-07 12:26 ` [PATCH v2 18/25] crypto: testmgr - Add CPRNG stutter test George Spelvin
2014-12-07 12:26 ` [PATCH v2 19/25] crypto: ansi_cprng - simplify get_prng_bytes George Spelvin
2014-12-07 12:26 ` [PATCH v2 20/25] crypto: ansi_cprng - simplify xor_vectors() to xor_block() George Spelvin
2014-12-07 12:26 ` [PATCH v2 21/25] crypto: ansi_cprng - Rename rand_data_valid more sensibly George Spelvin
2014-12-07 12:26 ` [PATCH v2 22/25] crypto: ansi_cprng - Tweak comments George Spelvin
2014-12-07 12:26 ` [PATCH v2 23/25] crypto: ansi_cprng - Introduce a "union cipherblock" George Spelvin
2014-12-07 12:26 ` [PATCH v2 24/25] crypto: ansi_cprng - Introduce non-deterministic mode George Spelvin
2014-12-07 12:26 ` [PATCH v2 25/25] crypto: ansi_cprng - If non-deterministic, don't buffer old output George Spelvin
2014-12-07 22:49   ` George Spelvin
2014-12-08 14:22     ` Neil Horman
2014-12-08 16:43       ` George Spelvin
2014-12-08 18:07         ` Neil Horman
2014-12-08 20:34           ` George Spelvin
2014-12-14 12:06 ` [PATCH v2 00/25] Multiple changes to crypto/ansi_cprng.c Stephan Mueller
2014-12-14 19:47   ` George Spelvin
2014-12-15  6:18     ` Stephan Mueller
2014-12-14 20:37   ` George Spelvin
2014-12-15  6:14     ` Stephan Mueller
2014-12-15  8:42       ` George Spelvin
2014-12-15  8:50         ` Stephan Mueller [this message]
2014-12-15 10:45           ` George Spelvin
2014-12-15 11:08             ` Stephan Mueller
2014-12-15  5:53   ` George Spelvin
2014-12-15  6:27     ` Stephan Mueller
2014-12-15  8:28       ` George Spelvin
2014-12-15  8:56         ` Stephan Mueller
2014-12-15 10:21           ` George Spelvin
2014-12-15 10:46             ` Stephan Mueller
2014-12-15 11:32               ` Neil Horman
2014-12-15 22:01                 ` George Spelvin
2014-12-16  7:22                   ` Stephan Mueller
2014-12-16 11:32                   ` Neil Horman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6843393.LtnAY8kkPy@tauon \
    --to=smueller@chronox.de \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux@horizon.com \
    --cc=nhorman@tuxdriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.