From: "Theodore Ts'o" <tytso@mit.edu>
To: Sandy Harris <sandyinchina@gmail.com>
Cc: Stephan Mueller <smueller@chronox.de>,
Phil Carmody <pc+lkml@asdf.org>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC][PATCH] Entropy generator with 100 kB/s throughput
Date: Thu, 21 Feb 2013 15:30:16 -0500 [thread overview]
Message-ID: <20130221203016.GE17322@thunk.org> (raw)
In-Reply-To: <CACXcFmnBNHab57dzx+QdqS=BTbUPCJo4zkztCw7W2Yfab+m5ow@mail.gmail.com>
On Thu, Feb 21, 2013 at 12:46:45PM -0500, Sandy Harris wrote:
>
> Also, in some designs it is possible to get very close to calculating
> entropy. The Turbid generator, for example, uses physical measurements
> of sound card properties plus arguments from standard circuit physics to
> prove a lower bound on the Johnson noise that must exist in the circuit.
> From that plus some quite moderate assumptions about properties of
> the hash, you get a provable lower bound on output entropy.
That's assuming you're talking to a real physical sound card, however.
Suppose you have a set up where the user is running one or more VM's
on their desktop, and the VM (possibly with some assist from
PulseAudio) is multiplexing the host sound card and doing upmixing
and/or downmixing as part of its multiplexing magic?
Would the Turbid generator be able to detect this situation, and would
its entropy estimates be correct? Even if they are correct, the fact
that another VM might be getting the same stream of inputs,
unbeknownst to the Turbid generator, might mean that an adversary
might have access to the "entropy" being generated by the PulseAudio
stream....
(And yes, there is the same potential issue with the current
/dev/random sampling what it thinks is hardware noise generation from
network and hdd interrupts; the point is that entropy collection in
the VM is *hard* and extremely error-prone. In the end you're
probably better off using paravirtualization for /dev/random and trust
the Host OS to give you good randomness. After all, if you don't
trust the Host OS, you're fundamentally screwed anyway....)
- Ted
next prev parent reply other threads:[~2013-02-21 20:40 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-08 22:04 [RFC][PATCH] Entropy generator with 100 kB/s throughput Stephan Mueller
2013-02-09 18:06 ` Theodore Ts'o
2013-02-10 1:57 ` Jeff Epler
2013-02-10 12:46 ` Stephan Mueller
2013-02-10 15:53 ` Jeff Epler
2013-02-10 18:50 ` Theodore Ts'o
2013-02-10 19:27 ` Sandy Harris
2013-02-10 19:32 ` Stephan Mueller
2013-02-10 21:59 ` Sandy Harris
2013-02-11 0:05 ` Theodore Ts'o
2013-02-10 12:25 ` Stephan Mueller
2013-02-21 14:07 ` Phil Carmody
2013-02-21 14:17 ` Stephan Mueller
2013-02-21 17:46 ` Sandy Harris
2013-02-21 20:30 ` Theodore Ts'o [this message]
[not found] ` <CAFtRNNzcUpxT3R6ttUJ0c-7QTVRxbwRVq6bPqvkSL93vbstT4g@mail.gmail.com>
2013-02-22 11:14 ` Nick Kossifidis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130221203016.GE17322@thunk.org \
--to=tytso@mit.edu \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pc+lkml@asdf.org \
--cc=sandyinchina@gmail.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).