Re: [PROPOSAL/PATCH] Fortuna PRNG in /dev/random

From: Theodore Ts'o
Date: Mon Sep 27 2004 - 09:59:42 EST

On Mon, Sep 27, 2004 at 09:32:03AM -0400, Jean-Luc Cooke wrote:
> I'll read over this once I finish re-writing my patch to use your entropy
> estimation.

While you're at it, please re-read RFC 793 and RFC 1185. You still
don't have TCP sequence generation done right. The global counter
is being increased for every TCP connection, and with only eight bits,
it can wrap very frequently. Encrypting the source/destination
address/port tuple and using that as an offset to the global clock,
and then only bumping the counter when you rekey would be much more in
the spirit of RFC 1185, and would result in sequence numbers much less
likely to cause stale packets to get mistakenly accepted.

I'm still a bit concerned about whether doing AES is going to be a
speed issue. Your comparisons against MD4 using openssl don't really
prove much, because (a) the original code used a cut-down MD4, and (b)
the openssl benchmark does a large number of encryptions and nothing
else, so all of the AES key schedule and tables will be in cache.

The only real way to settle this would be to ask Jamal and some of the
other networking hackers to repeat their benchmarks and see if the AES
encryption for every TCP SYN is a problem or not. CPU's have gotten
faster (but then again so have networks, and memory has *not* gotten
much faster), so only a real benchmark will tell us for sure.

- Ted
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at