From: "Theodore Ts'o" <tytso@mit.edu>
To: Stephan Mueller <smueller@chronox.de>
Cc: linux-crypto@vger.kernel.org, lkml <linux-kernel@vger.kernel.org>
Subject: Re: [RFC][PATCH] Entropy generator with 100 kB/s throughput
Date: Sat, 9 Feb 2013 13:06:29 -0500 [thread overview]
Message-ID: <20130209180629.GD8091@thunk.org> (raw)
In-Reply-To: <51157686.9000404@chronox.de>
On Fri, Feb 08, 2013 at 11:04:54PM +0100, Stephan Mueller wrote:
> * an array of statistical test suites pass the output of the entropy
> collector
> (again, the output is not mangled with cryptography)
You're not mangling the output with cryptography, but you are doing
some mangling in jitterentropy_cpu_jitter().
So let's be clear about what the heart of your entropy source is:
You're getting the nanoseconds out of clock_gettime(CLOCK_REALTIME),
and then mixing it using XOR and a ROL(3) into a 64-bit buffer, and
interspersing the calls to clock_gettime() with schedule().
So what a code breaker at the NSA would probably try to do first is to
measure is whether there is any kind of bias or non-entropy in the
nanoseconds returned by CLOCK_REALTIME after calls to schedule(). If
they can find any kind of bias, they can use that to calculate what
kind of patterns or non-random bits might end up showing up after you
do your non-cryptographic mangling.
For that reasons, what I would suggest doing first is generate a
series of outputs of jitterentropy_get_nstime() followed by
schedule(). Look and see if there is any pattern. That's the problem
with the FIPS 140-2 tests. Passing those tests are necessary, but
*NOT* sufficient to prove that you have a good cryptographic
generator. Even the tiniest amount of post-processing, even if they
aren't cryptographic, can result in an utterly predictable series of
numbers to pass the FIPS 140-2 tests.
Regards,
- Ted
next prev parent reply other threads:[~2013-02-09 18:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-08 22:04 [RFC][PATCH] Entropy generator with 100 kB/s throughput Stephan Mueller
2013-02-09 18:06 ` Theodore Ts'o [this message]
2013-02-10 1:57 ` Jeff Epler
2013-02-10 12:46 ` Stephan Mueller
2013-02-10 15:53 ` Jeff Epler
2013-02-10 18:50 ` Theodore Ts'o
2013-02-10 19:27 ` Sandy Harris
2013-02-10 19:32 ` Stephan Mueller
2013-02-10 21:59 ` Sandy Harris
2013-02-11 0:05 ` Theodore Ts'o
2013-02-10 12:25 ` Stephan Mueller
2013-02-21 14:07 ` Phil Carmody
2013-02-21 14:17 ` Stephan Mueller
2013-02-21 17:46 ` Sandy Harris
2013-02-21 20:30 ` Theodore Ts'o
[not found] ` <CAFtRNNzcUpxT3R6ttUJ0c-7QTVRxbwRVq6bPqvkSL93vbstT4g@mail.gmail.com>
2013-02-22 11:14 ` Nick Kossifidis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130209180629.GD8091@thunk.org \
--to=tytso@mit.edu \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).